LNCS 2986 




David Schmidt (Ed.) 



Programming 
Languages 
and Systems 

13th European Symposium on Programming, ESOP 2004 
Held as Part of the Joint European Conferences 
on Theory and Practice of Software, ETAPS 2004 
Barcelona, Spain, March/April 2004, Proceedings 






Lecture Notes in Computer Science 2986 

Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 




Springer 

Berlin 
Heidelberg 
New York 
Hong Kong 
London 
Milan 
Paris 
Tokyo 




David Schmidt (Ed.) 



Programming 
Languages 
and Systems 



13th European Symposium on Programming, ESOP 2004 
Held as Part of the Joint European Conferences 
on Theory and Practice of Software, ETAPS 2004 
Barcelona, Spain, March 29 - April 2, 2004 
Proceedings 




Springer 




Series Editors 



Gerhard Goos, Karlsruhe University, Germany 
Juris Hartmanis, Cornell University, NY, USA 
Jan van Leeuwen, Utrecht University, The Netherlands 

Volume Editor 
David Schmidt 

Kansas State University, Department of Computing and Information Sciences 
234 Nichols Hall. Manhattan, KS 66506, USA 
E-mail: schmidt@cis.ksu.edu 



Library of Congress Control Number: 2004102322 



CR Subject Classification (1998): D.3, D.l, D.2, F.3, F.4, E.l 
ISSN 0302-9743 

ISBN 3-540-21313-9 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable for prosecution under the German Copyright Law. 

Springer- Verlag is a part of Springer Science+Business Media 

springeronline.com 

© Springer-Verlag Berlin Heidelberg 2004 
Printed in Germany 

Typesetting: Camera-ready by author, data conversion by PTP-Berlin, Protago-TeX-Production GmbH 
Printed on acid-free paper SPIN: 1099448 1 06/3142 5 4 3 2 1 0 




Preface 



This volume contains the 28 papers presented at ESOP 2004, the 13tlr European 
Symposium on Programming, which took place in Barcelona, Spain, March 29- 
31, 2004. The ESOP series began in 1986 with the goal of bridging the gap 
between theory and practice, and the conferences continue to be devoted to 
explaining fundamental issues in the specification, analysis, and implementation 
of programming languages and systems. 

The volume begins with a summary of an invited contribution by Peter 
O’Hearn, titled Resources, Concurrency and Local Reasoning , and continues with 
the 27 papers selected by the Program Committee from 118 submissions. 

Each submission was reviewed by at least three referees, and papers were 
selected during a ten-day electronic discussion phase. I would like to sincerely 
thank the members of the Program Committee, as well as their subreferees, for 
their diligent work; Torben Amtoft, for helping me collect the papers for the 
proceedings; and Tiziana Margaria, Bernhard Steffen, and their colleagues at 
METAFrame, for the use of their conference management software. 



David Schmidt 
Program Chair 
ESOP 2004 




Organization 



Program Committee 



Torben Amtoft 

Henri Bal 

Radhia Cousot 

Pierpaolo Degano 

Mariangiola Dezani-Ciancaglini 

Pascal Fradet 

Michael Gordon 

Eric Goubault 

Joshua Guttman 

Fritz Henglein 

Matthew Hennessy 

Markus Miiller-Olm 

Martin Oclersky 

German Puebla 
David Schmidt 
Michael Schwartzbaclr 
Harald Spndergaard 
Peter Thiemann 
Mitchell Wand 
Kwangkeun Yi 



Kansas State University (USA) 

Vrije Universiteit (Netherlands) 

Ecole Polytechnique (France) 
Universita di Pisa (Italy) 

Universita di Torino (Italy) 

INRIA Rhone- Alpes (France) 
University of Cambridge (UK) 
CEA/Saclay (France) 

MITRE (USA) 

University of Copenhagen (Denmark) 
University of Sussex (UK) 

Universitat Hagen (Germany) 

Ecole Polytechnique Federale 
de Lausanne (Switzerland) 

Technical University of Madrid (Spain) 
Kansas State University (USA) 
University of Aarhus (Denmark) 
University of Melbourne (Australia) 
Universitat Freiburg (Germany) 
Northeastern University (USA) 

Seoul National University (Korea) 



Referees 

Mads Sig Ager, Elvira Albert, Thomas Ambus, Ki-yung Aim, Ricardo Baeza- 
Yates, Roberto Bagnara, Harald James Bailey, Steffen Bakel, Massimo Barto- 
letti, Josh Berdine, Martin Berger, Frederic Besson, Massimo Bartoletti, Lorenzo 
Bettini, Bruno Blanchet, Clriara Bodei, Viviana Bono, Mikael Buchlroltz, Mi- 
chele Bugliesi, Emir Burak, Lilian Burdy, Marzia Buscemi, Daniel Cabeza, Luis 
Caires, Manuel Carro, Rohit Clradha, Manuel Clrakravarty, Byeong-Mo Chang, 
Aske Simon Chistensen, Woongsik Choi, Damien Ciabrini, Ana Cristina Vieira 
de Melo, Mario Coppo, Andrea Corradini, Patrick Cousot, Silvia Crafa, Vin- 
cent Cremet, Michele Curti, Vincent Danos, Kyung-Goo Doh, Guillaume Dufay, 
Hyunjun Eo, Francois Fages, Manuel Fahndrich, Matthias Felleisen, Jerome Fe- 
ret, Mary Fernandez, GianLuigi Ferrari, Kathleen Fisher, Matthew Flatt, Ric- 
cardo Focardi, Cedric Fournet, Alain Frisch, Carsten Fiihrmann, Fabio Gad- 
ducci, Vladimir Gapeyev, Martin Gasbichler, Thomas Genet, Roberto Giaco- 
bazzi, Paola Giannini, Mariangiola Elio Giovannetti, Alain Girault, Roberto 
Gorrieri, Jean Goubault-Larrecq, Dick Grune, Stefano Guerrini, John Hatcliff, 
Simon Helsen, Fergus Henderson, Angel Herranz, Christoph Herrmann, Jonat- 




X 



Organization 



han Herzog, Michael Thomas Hildebrandt, Raff Hinze, Daniel Hirsclrkoff, Tom 
Hirschowitz, Frank Huch, Paul Hudak, Sebastian Hunt, Charles Hymans, Ce- 
riel Jacobs, Alan Jeffrey, Johan Jeuring, Neil Jones, Hyun-Goo Kang, Jeroen 
Ketema, Iksoon Kim, Andy King, Christian Kirkegaard, Oleg Kiselyov, Dexter 
Kozen, Karl Krukow, Raff Laemmel, Cosimo Laneve, Oukseh Lee, Ugo de’ Li- 
guoro, Jim Lipton, Francesco Logozzo, Michele Loreti, Henning Maklrolm, Julio 
Marino, Matthieu Martel, Damien Masse, Laurent Mauborgne, Richard Mayr, 
Edison Mera, Nikolay Mihaylov, Dale Miller, Antoine Mine, Alberto Momiglli- 
ano, Benjamin Monate, David Monniaux, Anders Mpller, Jose F. Morales, Peter 
Muller, Harald Lee Naish, George Necula, Matthias Neubauer, Oliver Niese, Hen- 
rik Nilsson, Henning Niss, Thomas Noll, Peter O’Hearn, Peter Padawitz, Benja- 
min Pierce, Adolfo Piperno, Marco Pistore, Enrico Pontelli, Bernard Pope, Rosa- 
rio Pugliese, John Ramsdell, Femke Raamsdonk, Olivier Ridoux, Xavier Rival, 
Simona Ronchi Della Rocca, Andreas Rossberg, Oliver Riithing, Eric Rutten, 
Luca Roversi, Jean-Claude Royer, Sukyoung Ryu, Jaime Sanclrez-Hernandez, 
Dave Sands, Vladimiro Sassone, Helmut Seidl, Harald R. Sekar, Sunae Seo, Alex- 
ander Serebrenik, Manuel Serrano, Wendelin Serwe, Peter Sestoft, Peter Sewell, 
Nikolay Shilov, Seung-Cheol Shin, Detlef Sieling, Axel Simon, Elodie-Jane Sims, 
Jan-Georg Smaus, Christian Stefansen, Erik Stenman, Peter Stuckey, Josef Sven- 
ningsson, Vipin Swarup, Nik Swoboda, Lucy Mari Tabuti, Javier Thayer, Simone 
Tini, Franklyn Turbak, Pawel Urzyczyn, Frank D. Valencia, Vasco Vasconcelos, 
Roel de Vrijer, Joe Wells, Hongseok Yang, Nobuko Yoshida, Matthias Zenger, 
Roberto Zunino 




Table of Contents 



Resources, Concurrency, and Local Reasoning 1 

Peter W. O'Hearn 

Relational Abstract Domains for the Detection of Floating-Point 

Run-Time Errors 3 

Antoine Mine 

Strong Preservation as Completeness in Abstract Interpretation 18 

Francesco Ranzato, Francesco Tapparo 

Static Analysis of Digital Filters 33 

Jerome Feret 

Sound and Decidable Type Inference for Functional Dependencies 49 

Gregory J. Duck, Simon Peyton-Jones, Peter J. Stuckey, 

Martin Sulzmann 

Call-by- Value Mixin Modules (Reduction Semantics, 

Side Effects, Types) 64 

Tom Hirschowitz, Xavier Leroy, J.B. Wells 

ML-Like Inference for Classifiers 79 

Cristiano Calcagno, Eugenio Moggi, Walid Taha 

From Constraints to Finite Automata to Filtering Algorithms 94 

Mats Carlsson, Nicolas Beldiceanu 

A Memoizing Semantics for Functional Logic Languages 109 

Salvador Espaiia, Vicent Estruch 

Adaptive Pattern Matching on Binary Data 124 

Per Gustafsson, Konstantinos Sagonas 

Compositional Analysis of Authentication Protocols 140 

Michele Bugliesi, Riccardo Focardi, Matteo Maffei 

A Distributed Abstract Machine for Boxed Ambient Calculi 155 

Andrew Phillips, Nobuko Yoshida, Susan Eisenbach 

A Dependently Typed Ambient Calculus 171 

Cedric Lhoussaine, Vladimiro Sassone 

A Control Flow Analysis for Safe and Boxed Ambients 188 

Francesca Levi, Chiara Bodei 




XII 



Table of Contents 



Linear Types for Packet Processing 204 

Robert Ennals, Richard Sharp, Alan Mycroft 

Modal Proofs as Distributed Programs 219 

Limin Jia, David Walker 

ULM: A Core Programming Model for Global Computing 234 

Gerard Boudol 

A Semantic Framework for Designer Transactions 249 

Jan Vitek, Suresh Jagannathan, Adam Welc, Antony L. Hosking 

Semantical Analysis of Specification Logic, 3 

(An Operational Approach) 264 

Dan R. Ghica 

Answer Type Polymorphism in Call-by-Name Continuation Passing 279 

Hayo Thielecke 

System E: Expansion Variables for Flexible Typing with Linear 

and Non-linear Types and Intersection Types 294 

Sebastien Carlier, Jeff Polakow, J.B. Wells, A.J. Kfoury 

A Hardest Attacker for Leaking References 310 

Rene Rydhof Hansen 

Trust Management in Strand Spaces: A Rely-Guarantee Method 325 

Joshua D. Guttman, F. Javier Thayer, Jay A. Carlson, 

Jonathan C. Herzog, John D. Ramsdell, Brian T. Sniffen 

Just Fast Keying in the Pi Calculus 340 

Martin Abadi, Bruno Blanchet, Cedric Fournet 

Decidable Analysis of Cryptographic Protocols with Products and 

Modular Exponentiation 355 

Vitaly Shmatikov 

Functors for Proofs and Programs 370 

Jean-Christophe Filliatre, Pierre Letouzey 

Extracting a Data Flow Analyser in Constructive Logic 385 

David Cachera, Thomas Jensen, David Pichardie, Vlad Rusu 

Canonical Graph Shapes 401 

Arend Rensink 



Author Index 



417 




Foreword 



ETAPS 2004 was the seventh instance of the European Joint Conferences on 
Theory and Practice of Software. ETAPS is an annual federated conference that 
was established in 1998 by combining a number of existing and new conferences. 
This year it comprised five conferences (FOSSACS, FASE, ESOP, CC, TACAS), 
23 satellite workshops, 1 tutorial, and 7 invited lectures (not including those 
that are specific to the satellite events). 

The events that comprise ETAPS address various aspects of the system de- 
velopment process, including specification, design, implementation, analysis and 
improvement. The languages, methodologies and tools that support these ac- 
tivities are all well within its scope. Different blends of theory and practice are 
represented, with an inclination towards theory with a practical motivation on 
the one hand and soundly based practice on the other. Many of the issues invol- 
ved in software design apply to systems in general, including hardware systems, 
and the emphasis on software is not intended to be exclusive. 

ETAPS is a loose confederation in which each event retains its own identity, 
with a separate program committee and independent proceedings. Its format is 
open-ended, allowing it to grow and evolve as time goes by. Contributed talks 
and system demonstrations are in synchronized parallel sessions, with invited 
lectures in plenary sessions. Two of the invited lectures are reserved for “unify- 
ing” talks on topics of interest to the whole range of ETAPS attendees. The 
aim of cramming all this activity into a single one-week meeting is to create a 
strong magnet for academic and industrial researchers working on topics within 
its scope, giving them the opportunity to learn about research in related areas, 
and thereby to foster new and existing links between work in areas that were 
formerly addressed in separate meetings. 

ETAPS 2004 was organized by the LSI Department of the Catalonia Tech- 
nical University (UPC), in cooperation with: 

European Association for Theoretical Computer Science (EATCS) 
European Association for Programming Languages and Systems 
(EAPLS) 

European Association of Software Science and Technology (EASST) 

ACM SIGACT, SIGSOFT and SIGPLAN 

The organizing team comprised 

Jordi Cortadella (Satellite Events), Nikos Mylonakis, Robert Nieuwenhuis, 
Fernando Orejas (Chair), Edelmira Pasarella, Sonia Perez, Elvira Pino, 
Albert Rubio 

and had the assistance of TILES A OPC. 

ETAPS 2004 received generous sponsorship from: 




VI 



Foreword 



UPC, Spanish Ministry of Science and Technology (MCYT), Catalan 
Department for Universities, Research and Information Society (DURSI), 
IBM, Intel. 

Overall planning for ETAPS conferences is the responsibility of its Steering 
Committee, whose current membership is: 

Ratislav Bodik (Berkeley) , Maura Cerioli (Genoa) , Evelyn Duesterwalcl 
(IBM, Yorktown Heights), Hartmut Ehrig (Berlin), Jose Fiadeiro 
(Leicester), Marie-Claude Gaudel (Paris), Andy Gordon (Microsoft Re- 
search, Cambridge), Roberto Gorrieri (Bologna), Nicolas Halbwachs 
(Grenoble), Gurel Hedin (Lund), Kurt Jensen (Aarhus), Paul Klint 
(Amsterdam), Tiziana Margaria (Dortmund), Ugo Montanari (Pisa), 
Hanne Riis Nielson (Copenhagen), Fernando Orejas (Barcelona), Mauro 
Pezze (Milan), Andreas Podelski (Saarbriicken), Mooly Sagiv (Tel Aviv), 
Don Sannella (Edinburgh), Vladimiro Sassone (Sussex), David Schmidt 
(Kansas), Bernhard Steffen (Dortmund), Perdita Stevens (Edinburgh), 
Andrzej Tarlecki (Warsaw), Igor Walukiewicz (Bordeaux), Michel 
Wermelinger (Lisbon) 

I would like to express my sincere gratitude to all of these people and orga- 
nizations, the program committee chairs and PC members of the ETAPS confe- 
rences, the organizers of the satellite events, the speakers themselves, and finally 
Springer- Verlag for agreeing to publish the ETAPS proceedings. This year, the 
number of submissions approached 600, making acceptance rates fall to 25%. I 
congratulate the authors who made it into the final program! I hope that all the 
other authors still found a way of participating in this exciting event and I hope 
you will continue submitting. 

In 2005, ETAPS will be organized by Don Sannella in Edinburgh. You will be 
welcomed by another “local” : my successor as ETAPS Steering Committee Chair 
- Perdita Stevens. My wish is that she will enjoy coordinating the next three 
editions of ETAPS as much as I have. It is not an easy job, in spite of what 
Don assured me when I succeeded him! But it is definitely a very rewarding 
one. One cannot help but feel proud of seeing submission and participation 
records being broken one year after the other, and that the technical program 
reached the levels of quality that we have been witnessing. At the same time, 
interacting with the organizers has been a particularly rich experience. Having 
organized the very first edition of ETAPS in Lisbon in 1998, I knew what they 
were going through, and I can tell you that each of them put his/her heart, soul, 
and an incredible amount of effort into the organization. The result, as we all 
know, was brilliant on all counts! Therefore, my last words are to thank Susanne 
Graf (2002), Andrzej Tarlecki and Pawel Urzyczyn (2003), and Fernando Orejas 
(2004) for the privilege of having worked with them. 



Leicester, January 2004 



Jose Luiz Fiadeiro 
ETAPS Steering Committee Chairman 




Resources, Concurrency, and Local Reasoning 

(Abstract) 



Peter W. O ’Hearn 
Queen Mary, University of London 



In the 1960s Dijkstra suggested that, in order to limit the complexity of po- 
tential process interactions, concurrent programs should be designed so that 
different processes behave independently, except at rare moments of synchro- 
nization [3]. Then, in the 1970s Hoare and Brinclr Hansen argued that debug- 
ging and reasoning about concurrent programs could be considerably simplified 
using compiler-enforceable syntactic constraints that preclude interference [4,1]; 
scope restrictions were described which had the effect that all process interac- 
tion was mediated by a critical region or monitor. Based on such restrictions 
Hoare described proof rules for shared-variable concurrency that were beauti- 
fully modular [4]: one could reason locally about a process, and simple syntactic 
checks ensured that no other process could tamper with its state in a way that 
invalidated the local reasoning. 

The major problem with Hoare and Brinclr Hansen’s proposal is that its 
scope-based approach to resource separation is too restrictive for many real- 
istic programs. It does not apply to flexible but unstructured constructs such 
as semaphores, and the syntactic checks it relies on are insufficient to rule out 
interference in the presence of pointers and aliasing. Proof methods were subse- 
quently developed which allow reasoning in the presence of interference [9,10,5], 
and the reasoning that they support is much more powerful that that of [4] , but 
also much less modular. 

There is thus a mismatch, between the intuitive basis of concurrent program- 
ming with resources, where separation remains a vital design idea, and formal 
techniques for reasoning about such programs, where methods based on separa- 
tion are severely limited. The purpose of this work is to revisit these issues, using 
the recent formalism of separation logic [11]. The general point is that by using a 
logic of resources [7] rather than syntactic constraints we can overcome the lim- 
itations of scope-based approaches, while retaining their modular character. We 
describe a variation on the proof rules of Hoare for contitional critical regions, 
using the “separating conjunction” connective to preclude pointer-based inter- 
ference. With the modified rules we can at once handle many examples where 
a linked data structure rather than, say, an array is used within a process, or 
within a data abstraction that mediates interprocess interaction. 

The rules have a further interesting effect when a data abstraction keeps 
track of pointers as part of its data, rather than just as part of its implementa- 
tion. The separating conjunction allows us to partition memory in a dynamically 
reconfigurable way, extending the static partioning done by critical regions or 
monitors when there is no heap. This enables us to handle a number of subtler 

D.A. Schmidt (Ed.): ESOP 2004, LNCS 2986, pp. 1-2, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 




2 



P.W. O’Hearn 



programs, where a pointer is transferred from one process to another, or between 
a process and a monitor, and the ownership of the storage pointed to transfers 
with it. Ownership transfer is common in systems programs. For example, inter- 
action with a memory manager results in pieces of storage transferring between 
the manager and its clients as allocation and deallocation operations are per- 
formed [8] . Another typical example is efficient message passing, where a pointer 
is transferred from one process to another in order to avoid copying large pieces 
of data. 

Dynamic partitioning turns out also to be the key to treating lower level, 
unstructured constructs which do not use explicit critical regions. In particular, 
our formalism supports a view of semaphores as ownership transformers, that 
(logically) release and seize portions of storage in addition to their (operational) 
behaviour as counting-based synchronizers. Local reasoning [6] is possible in such 
a situation because dynamic, non scope-based, uses of semaphores to protect 
resources are matched by the dynamic, non scope-based, approach to resource 
separation provided by separation logic. 

A special role in this work is played by “precise” assertions, which are ones 
that unambiguously specify a portion of storage (an assertion is precise if, for any 
given heap, there is at most one subheap that satisfies it). Precision is essential 
for the soundness of the proof rules, which work by decomposing the state in a 
system into that owned by various processes and resources (or monitors). Precise 
assertions fulfill a similar role in recent work on information hiding [8] , and are 
used by Brookes in his semantic analysis of our concurrency proof rules [2] . 



References 

[1] P. Brinch Hansen. Operating System Principles. Prentice Hall, 1973. 

[2] S. D. Brookes. A semantics for concurrent separation logic. Draft of 7/25/03, 
2003. 

[3] E. W. Dijkstra. Cooperating sequential processes. In F. Genuys, editor, Program- 
ming Languages , pages 43-112. Academic Press, 1968. 

[4] C. A. R. Hoare. Towards a theory of parallel programming. In Hoare and Perrot, 
editors, Operating Systems Techniques. Academic Press, 1972. 

[5] C. B. Jones. Specification and design of (parallel) programs. IFIP Conference, 
1983. 

[6] P. O’Hearn, J. Reynolds, and H. Yang. Local reasoning about programs that alter 
data structures. In Proceedings of 15th Annual Conference of the European Asso- 
ciation for Computer Science Logic, LNCS, pages 1-19. Springer- Verlag, 2001. 

[7] P. W. O’Hearn and D. J. Pym. The logic of bunched implications. Bulletin of 
Symbolic Logic, 5(2):215-244, June 99. 

[8] P. W. O’Hearn, H. Yang, and J. C. Reynolds. Separation and information hiding. 
In 31st POPL, pages 268-280, Venice, January 2004. 

[9] S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. Acta 
Informatica, (19):319-340, 1976. 

[10] A. Pnueli. The temporal semantics of concurrent programs. Theoretical Computer 
Science, 13(1), 45-60, 1981. 

[11] J. C. Reynolds. Separation logic: a logic for shared mutable data structures. 
Invited Paper, LICS’02, 2002. 




Relational Abstract Domains for the Detection 
of Floating-Point Run-Time Errors* 



Antoine Mine 

DI-Ecole Normale Superieure de Paris, France, 

mineSdi . ens . f r 



Abstract. We present a new idea to adapt relational abstract domains 
to the analysis of IEEE 754-compliant floating-point numbers in order to 
statically detect, through Abstract Interpretation-based static analyses, 
potential floating-point run-time exceptions such as overflows or invalid 
operations. In order to take the non-linearity of rounding into account, 
expressions are modeled as linear forms with interval coefficients. We 
show how to extend already existing numerical abstract domains, such 
as the octagon abstract domain, to efficiently abstract transfer functions 
based on interval linear forms. We discuss specific fixpoint stabilization 
techniques and give some experimental results. 



1 Introduction 

It is a well-established fact, since the failure of the Ariane 5 launcher in 1996, 
that run-time errors in critical embedded software can cause great financial — 
and human — losses. Nowadays, embedded software is becoming more and more 
complex. One particular trend is to abandon fixed-point arithmetics in favor of 
floating-point computations. Unfortunately, floating-point models are quite com- 
plex and features such as rounding and special numbers (infinities, NaN , etc.) 
are not always understood by programmers. This has already led to catastrophic 
behaviors, such as the Patriot missile story told in [16]. 

Much work is concerned about the precision of the computations, that is 
to say, characterizing the amount and cause of drift between a computation 
on perfect reals and the corresponding floating-point implementation. Ours is 
not. We seek to prove that an exceptional behavior (such as division by zero or 
overflow) will not occur in any execution of the analyzed program. While this is 
a simpler problem, our goal is to scale up to programs of hundreds of thousands 
of lines with full data coverage and very few (even none) false alarms. 

Our framework is that of Abstract Interpretation, a generic framework for 
designing sound static analyses that already features many instances [6,7]. We 
adapt existing relational numerical abstract domains (generally designed for 
the analysis of integer arithmetics) to cope with floating-point arithmetics. 
The need for such domains appeared during the successful design of a com- 
missioned special-purpose prototype analyzer for a critical embedded avionics 

* This work was partially supported by the ASTREE RNTL project. 

D.A. Schmidt (Ed.): ESOP 2004, LNCS 2986, pp. 3-17, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 




4 



A. Mine 



system. Interval analysis, used in a first prototype [3], proved too coarse because 
error-freeness of the analyzed code depends on tests that are inherently poorly 
abstracted in non-relational abstract domains. We also had to design special- 
purpose widenings and narrowings to compensate for the pervasive rounding 
errors, not only in the analyzed program, but also introduced by our efficient 
abstractions. These techniques were implemented in our second prototype whose 
overall design was presented in [4]. The present paper focuses on improvements 
and novel unpublished ideas; it is also more generic. 

2 Related Work 

Abstract Domains. A key component in Abstract-interpretation-based anal- 
yses is the abstract domain which is a computer-representable class of program 
invariants together with some operators to manipulate them: transfer functions 
for guards and assignments, a control-flow join operator, and fixpoint acceler- 
ation operators (such as widenings V and narrowings A) aiming at the correct 
and efficient analysis of loops. One of the simplest yet useful abstract domain is 
the widespread interval domain [6]. Relational domains, which are more precise, 
include Cousot and Halbwachs’s polyhedron domain [8] (corresponding to in- 
variants of the form ^ c-iV-i < c), Mine’s octagon domain [14] (±iy ± Vj < c), and 
Simon’s two variables per inequality domain [15] (avi + / 3vj < c). Even though 
the underlying algorithms for these relational domains allow them to abstract 
sets of reals as well as sets of integers, their efficient implementation — in a maybe 
approximate but sound way — using floating-point numbers remains a challenge. 
Moreover, these relational domains do not support abstracting floating-point 
expressions, but only expressions on perfect integers, rationals, or reals. 

Floating-Point Analyses. Much work on floating-point is dedicated to the 
analysis of the precision of the computations and the origins of the rounding 
errors. The CESTAC method [17] is widely used, but also much debated as it is 
based on a probabilistic model of error distribution and thus cannot give sound 
answers. An interval-based Abstract Interpretation for error terms is proposed in 
[1]. Some authors [11,13] go one step further by allowing error terms to be related 
in relational, even non-linear, domains. Unfortunately, this extra precision does 
not help when analyzing programs whose correctness also depends upon relations 
between variables and not only error terms (such as programs with inequality 
tests, as in Fig. 3). 

Our Work. We first present our IEEE 754-based computation model (Sect. 3) 
and recall the classical interval analysis adapted to floating-point numbers 
(Sect. 4). We present, in Sect. 5, an abstraction of floating-point expressions 
in terms of interval linear forms over the real field and use it to refine the inter- 
val domain. Sect. 6 shows how some relational abstract domains can be efficiently 
adapted to work on these linear forms. Sect. 7 presents adapted widening and 
narrowing techniques. Finally, some experimental results are shown in Sect. 8. 




Relational Abstract Domains 



5 



3 IEEE 754-Based Floating-Point Model 

We present in this section the concrete floating-point arithmetics model that we 
wish to analyze and which is based on the widespread IEEE 754-1985 [5] norm. 

3.1 IEEE 754 Floating-Point Numbers 

The binary representation of a IEEE 754 number is composed of three fields: 

• a 1-bit sign s; 

• an exponent e — bias, represented by a biased e-bit unsigned integer e; 

• a fraction f = .bi . . . b p , represented by a p-bit unsigned integer. 

The values e, bias, and p are format-specific. We will denote by F the set of 
all available formats and by f = 32 the 32-bit single format (e = 8, bias = 127, 
and p = 23). Floating-point numbers belong to one of the following categories: 

• normalized numbers (— l) s x 2 2 ~ blas x 1./, when 1 < e < 2 e — 2; 

• denormalized numbers (— l) s x 2 1-blas x 0./, when e = 0 and / ^ 0; 

• +0 or —0 (depending on s), when e = 0 and / = 0; 

• +oo or —oo (depending on s), when e = 2 e — 1 and / = 0; 

• error codes (so-called NaN ), when e = 2 e — 1 and / ^ 0. 

For each format f £ F we define in particular: 

• m/ f = 2 1 ~ blas_p the smallest non-zero positive number; 

• M/f = (2 — 2 _p )2 2 - blas - 2 ) the largest non-infinity number. 

The special values +oo and — oo may be generated as a result of operations 
undefined on R (such as 1/+0), or when a result’s absolute value overflows M/ f . 
Other undefined operations (such as +0/+0) result in a NaN (that stands for 
Not A Number ). The sign of 0 serves only to distinguish between 1/+0 = +oo 
and 1/— 0 = — oo; +0 and —0 are indistinguishable in all other contexts (even 
comparison) . 

Due to the limited number of digits, the result of a floating-point operation 
needs to be rounded. IEEE 754 provides four rounding modes: towards 0, towards 
+ 00 , towards — oo, and to nearest. Depending on this mode, either the floating- 
point number directly smaller or directly larger than the exact real result is 
chosen (possibly +oo or — oo). Rounding can build infinities from non-infinities 
operands (this is called overflow), and it may return zero when the absolute 
value of the result is too small (this is called underflow) . Because of this rounding 
phase, most algebraic properties of R, such as associativity and distributivity, 
are lost. However, the opposite of a number is always exactly represented (unlike 
what happens in two-complement integer arithmetics) , and comparison operators 
are also exact. See [10] for a description of the classical properties and pitfalls of 
the floating-point arithmetics. 

3.2 Custom Floating-Point Computation Model 

We focus our analysis on the large class of programs that treat floating-point 
arithmetics as a practical approximation to the mathematical reals R: roundings 
and underflows are tolerated, but not overflows, divisions by zero or invalid 
operations, which are considered run-time errors and halt the program. Our 
goal is to detect such behaviors. In this context, + 00 , — 00 , and NaNs can never 




6 



A. Mine 



-^f, + Oo( 2 ') ^ 


r 12 

min{j/ £ Ff 


if x > Mf t 
| y > x} otherwise 


Rt,— 00(3?) — ^ 


r n 

max{y £ Ff 


if x < —Mf t 
| y < x} otherwise 


Rf,o(x) = <j 


r min{p £ Ff 
L max{j/ £ Ff 


| y > x} if x < 0 

| y < x} if x > 0 




' n 
Mf f 
-Mf f 

Rt-oo (>r) 

Rt ,+00 (>r) 
Rr-00 (>r) 

^ Rf ,+oo ( 3 ?) 


if |x| > (2 - 2 ~ p - 1 )2 2<S-bias-2 
else if x > M/ f 
else if x < —Mf ( 

else if \R{,-oo(x) — x\ < \R( :+ao (x) — x\ 
else if |i?f, + 00 (x) — x\ < (Rf,-oo(a;) — x\ 
else if Rf,^ ao (x) , s least significant bit is 0 
else if f?f,+cx)(a;)’s least significant bit is 0 



Fig. 1. Rounding functions, extracted from [5]. 



lconstf x (c)}p 


= R{,r(c) 




Hp 


= Pi'') 




[castf, r (e)l|p 


= Rf,r([e]p) 


if Help ^ 12 


lei ©f ,r e 2 ]p 


= #f,r(([ei]p) • (|e 2 ]p)) 


if [ei]p, [e 2 ]p ± 12, • £ {+, -, x} 


[ei 0f, r e 2 ]p 


= flf,r(([ei]p)/([e 2 ]p)) 


if [ei]p^ 12, [e 2 ]p<^ {0,12} 


[eelp 


= -([el P) 


if [e]p ± 12 


\expr f \p 


= n 


in all other cases 



Fig. 2. Expression concrete semantics, extracted from [5]. 



be created and, as a consequence, the difference between +0 and —0 becomes 
irrelevant. For every format f £ F, the set of floating-point numbers will be 
assimilated to a finite subset of R denoted by Ff. The grammar of floating- 
point expressions of format f includes constants, variables v £ Vf of format f, 
casts (conversion from another format), binary and unary arithmetic operators 
(circled in order to distinguish them from the corresponding operators on reals) : 

expr f :== constf x (c) c £ R 

| v v £ Vf 

castf x (expr { ,) 

expr { ©f, r expr f © £ {©, 0, ©, 0} 

Qexpr { 

Some constructs are tagged with a floating-point format f £ F and a round- 
ing mode r £ {n, 0, +oo, — oo} (n representing rounding to nearest). A notable 
exception is the unary minus 0 which does not incur rounding and never results 
in a run-time error as all the FfS are perfectly symmetric. 

An environment p £ TlftF^f “ ^ a function that associates to each 

variable a floating-point value of the corresponding format. Fig. 2 gives the 
concrete semantics [ei vpr f Jp £ Ff U {12} of the expression expr t in the envi- 






Relational Abstract Domains 



7 



ronment p : it can be a number or the run-time error 17. This semantics uses 
solely the regular operators +,— ,x,/ on real numbers and the rounding function 
Rf r : R. — > Ff U {17} defined in Fig. 1. It corresponds exactly to the IEEE 754 
norm [5] where the overflow, division by zero, and invalid operation exception 
traps abort the system with a run-time error. 



4 Floating-Point Interval Analysis 



Floating-Point Interval Arithmetics. The idea of interval arithmetics is to 
over-approximate a set of numbers by an interval represented by its lower and 
upper bounds. For each format f, we will denote by If the set of real intervals 
with bounds in Ff. As Ff is totally ordered and bounded, any subset of Ff can 
be abstracted by an element of If. Moreover, as all rounding functions i?f, r are 
monotonic, we can compute the bounds of any expression using pointing-point 
operations only, ensuring efficient implementation within an analyzer. A first 
idea is to use the very same format and rounding mode in the abstract as in the 
concrete, which would give, for instance, the following addition (17 denoting a 
run-time error): 



[a-;a+] ffi^ r [&";&+] 



17 if a ®f a . b = 17 or a + ®f >r b + = 17 
[a~ ®f, r b~\a + ®f, r 5+] otherwise 



A drawback of this semantics is that it requires the analyzer to determine, 
for each instruction, which rounding mode r and which format f are used. This 
may be difficult as the rounding mode can be changed at run-time by a system 
call, and compilers are authorized to perform parts of computations using a more 
precise IEEE format that what is required by the programmer (on Intel x86, all 
floating-point registers are 80-bit wide and rounding to the user-specified format 
occurs only when the results are stored into memory). Unfortunately, using in 
the abstract a floating-point format different from the one used in the concrete 
computation is not sound. 

The following semantics, inspired from the one presented in [11], solves these 
problems by providing an approximation that is independent from the concrete 
rounding mode (assuming always the worst: towards — oo for the lower bound 
and towards +oo for the upper bound): 

• constf(c) = [const f ’- 00 (c)-, const f :+0 o(c)] 

• castf(c ) = [castf\_oo(c); casff^+oAc)] 

• [a - ; a+] ®J [b~\ b + ] = [a® ®f,-oo b~\ a + ©f, +0 o b + ] 

• [a“; a+] ©J [fe“; b+] = [a~ © f _«*, b+- a+ © f , +00 b~] 

• [a - ; a + ] (g>jt [6~; b + ] = 

[min((a+ ®f,_oo b + ), (a© <g>f _oo b + ), ( a + <&f-oo b~), ( a~ ®t-oo b~)); 

max((a+ ®f, +00 b + ), ( a~ ®f >+0 o b + ), (a+ ®f >+00 b~), (a~ ® f , +00 b ~ ))] 

• [a - ; a+] [& - ; b + ] = 

o 17 if b~ < 0 < b + 

o [min((a+ <Z>t,-oo b + ), ( a~ <dt,-oo b + ), (a + <Z>t,-oo b~), ( a~ 0{ t -oo b~)); 




A. Mine 



for (n=0;njN;n++) { 

// fetch X in [—128; 128] and D in [0; 16] 
S = Y; R-X 032,71 5; Y = X; 
if (R < QD) Y = S 032,71 D; 
if (. R >D)Y = S 032,71 D; 

} 



Fig. 3. Simple rate limiter function with input X, output Y , and maximal rate variation 
D. 



max((a + 0f, +oo b + ), (a 0f, +oo b + ), (a+ 0f, +O o b ),(a 0f, +O o & ))] 
otherwise 

• 0 # [a“;a + ] = [ea + ;6a~] 

• return Q if one interval bound evaluates to 17 

This semantics frees the analyzer from the job of statically determining the 
rounding mode of the expressions and allows the analyzer to use, in the abstract, 
less precise formats that those used in the concrete (however, using a more precise 
format in the abstract remains unsound). 

Floating-Point Interval Analysis. Interval analysis is a non-relational Ab- 
stract Interpretation-based analysis where, at each program point and for each 
variable, the set of its possible values during all executions reaching this point 
is over-approximated by an interval. An abstract environment pr is a func- 
tion mapping each variable v £ Vf to an element of If. The abstract value 
£ If U {17} of an expression expr f in an abstract environment p $ can 
be derived by induction using the interval operators defined in the preceding 
paragraph. 

An assignment v <— expr f performed in an environment p * returns pr where 
v’s value has been replaced by [exprf]^ if it does not evaluate to 17, and 
otherwise by Ff (the top value) and reports an error. Most tests can only be 
abstracted by ignoring them (which is sound). Even though for simple tests such 
as, for instance, X < Y ©f, r c, the interval domain is able to refine the bounds for 
X and Y, it cannot remember the relationship between these variables. Consider 
the more complete example of Fig. 4. It is a rate limiter that given random 
input flows X and D, bounded respectively by [—128; 128] and [0; 16], computes 
an output flow Y that tries to follow X while having a change rate limited by 
D. Due to the imprecise abstraction of tests, the interval domain will bound Y 
by [—128 — 16 n; 128 + 16n] after n loop iterations while in fact it is bounded 
by [—128; 128] independently from n. If N is too big, the interval analysis will 
conclude that the limiter may overflow while it is in fact always perfectly safe. 

5 Linearization of Floating-Point Expressions 

Unlike the interval domain, relational abstract domains rely on algebraic proper- 
ties of operators, such as associativity and distributivity, that are not true in the 
floating-point world. Our solution is to approximate floating-point expressions 
by linear expressions in the real held with interval coefficients and free variables 
in V = UfgFVf . Let i + Y^,vev ^ vV suc h a linear form; it can be viewed as a 





Relational Abstract Domains 



9 



function from M v to the set of real intervals. For the sake of efficiency, interval 
coefficient bounds will be represented by floating-point numbers in a format fa 
that is efficient on the analyzer’s platform: i,i v £ If a . Because, for all f and 
•e{+ , — , x,/}, ©j is a valid over-approximation of the corresponding real in- 
terval arithmetics operation, we can define the following sound operators B®, □**, 
IE**, 0^ on linear forms: 



• (* + E„ e v W) (*' + E vGV i'v v ) 

• (d + E^ev*^) (*' + E vev i'v v ) 

• i (*' + J2v&v 

• (* + Euev i v v ) 0tl *' 



(* ®fa *0 + EvGv(^ ©fa 'i'v) V 
(* ©fa *0 ® E^gV^E ©fa * v) V 

(*©faO + E„ev(* 

(* ©fa *0 ® EugvdE ©fa ) V 



Given an expression expr t and an interval abstract environment p* as in 
Sect. 4, we construct the interval linear form (| expr f Dp* on V as follows: 

• (| const f r (c) D = [const f - 00 (c)-, const ft+00 (c)\ 

• (jf’fDp 11 =[i;i]«f 

• d cast f , r (e) Dp # =(|e| )p t ^f (d e D p # ) b# m f fh 1 ; 1 ] 

• d e i ©f,r e 2 Dp # = 

deiDp # ffl 3 d e 2 D/° S -f (d e i Dp B ) Btl -f (d e 2 Dp B ) m/ f [-l;l] 

• d ei ©f, r e 2 Dp # = 

d ei D S S d e 2 D/ 0 * 1 e'f (d e i Dp B ) Btl -rdd e 2 Dp B ) m/ f [-l;l] 

• d [a; b] ©f, r e 2 Dp 11 = 

([a;6]^de 2 ^ # ) ©“ ([a; 6] e f (d e 2 [)p#)) ffl# m/ f [-l;l] 

• d e i ©f,r [a; b\ D P* = d [a; b] © f>r ei Dp 11 

• d e i ©f,r e 2 Dp # = d^deiDP^P 8 ©f ,r e 2 |)p l) 

• d e i ©f,r [a; 6] Dp 1 * = 

(d ei Dp B [«; & D (£f(d e i D/° # ) m f f [-!;!] 

• d ei ©f,r e 2 Dp # =d e ! ©f ,r i(d e 2 D 



where the “error” £f (l) of the linear form l is the following linear form: 
e f ([a;b] + ^[a„;&„]uj = (max(|a|, |6|) ©J a [-2" p ; 2~ p ]) + 

^(max(|a t) |, |6 t ,|) ©jj. a [-2~ p ; 2~ p ])u 



vGV 



vGV 



(p is the fraction size in bits for the format f, see Sect. 3.1) 



and the “intervalization” i(l)p* function over-approximates the range of the 
linear form l in the abstract environment p ^ as the following interval of If a : 

M + ivV ) = * ©fa ( iv ©fa PKV) J 

V vev J \«Gv a / 

(any summation order for ©f a is sound) 

Note that this semantics is very different from the one proposed by Goubault 
in [11] and subsequently used in [13]. In [11], each operation introduces a new 
variable representing an error term, and there is no need for interval coefficients. 




10 



A. Mine 



About l. Dividing a linear form by another linear form which is not reduced 
to an interval does not yield a linear form. In this case, the i operator is used to 
over-approximate the divisor by a single interval before performing the division. 
The same holds when multiplying two linear forms not reduced to an interval, but 
we can choose to apply l to either argument. For the sake of simplicity, we chose 
here to “intervalize” the left argument. Moreover, any non-linear operator (such 
as, e.g., square root or sine) could be dealt with by performing the corresponding 
operator on intervals after “intervalizing” its argument (s). 

About £f. To account for rounding errors, an upper bound of \Rf >r (x ■ y) — (x ■ y)\ 
(where • £ {+, — , x, /}) is included in ( expr f \)p^ . It is the sum an error relative 
to the arguments x and p, expressed using £f, and an absolute error m/ f due to 
a possible underflow. Unlike what happened with interval arithmetics, correct 
error computation does not require the abstract operators to use floating-point 
formats that are no more precise than the concrete ones: the choice of fa is 
completely free. 

About fl. It is quite possible that, during the computation of ( expr f \)p$, a 
floating-point run-time error fl occurs. In that case, we will say that the lin- 
earization “failed”. It does not mean that the program has a run-time error, 
but only that we cannot compute a linearized expression and must revert to the 
classical interval arithmetics. 

Main Result. When we evaluate in R. the linear form ( expr f \)p“ in a concrete 
environment p included in p* we get a real interval that over-approximates the 
concrete value of the expression: 

Theorem 1. 

If \expr f \^ p^ ^ fi and the linearization does not fail andVv £ V, p(v) £ p^{v), 
then [ezpr f ]p £ ( expr f \)p ** (p). 

Linear Form Propagation. As the linearization manipulates expressions sym- 
bolically, it is able to perform simplifications when the same variable appears 
several times. For instance Z £- X 0 32 , n (0.25 8 ) 32 , n A) will be interpreted as 
Z «— [0.749 • • • ; 0.750 • • • ]X + 2.35 • • • 10 _38 [— 1; 1]. Unfortunately, no simplifica- 
tion can be done if the expression is broken into several statements, such as in 
Y <— 0.25 032, n X\Z X 032 , n Y. Our solution is to remember, in an extra 

environment pj, the linear form assigned to each variable and use this informa- 
tion while linearizing: we set ( Vf D(p tt , p\) = p\(v) instead of [— 1 ; l]i>f. Care must 
be taken, when a variable v is modified, to discard all occurrences of v in pj. 
Effects of tests on p\ are ignored. Our partial order on linear forms is flat, so, at 
control-flow joins, only variables that are associated with the same linear form 
in both environments are kept; moreover, we do not need any widening. This 
technique is reminiscent of Kildall’s constant propagation [12]. 

Applications. A first application of linearization is to improve the preci- 
sion of the interval analysis. We simply replace \expr^p^ by fexprfj^p 1 * fl 
i(d expr f )p*)p* whenever the hypotheses of Thm. 1 hold. 




Relational Abstract Domains 



11 



While improving the assignment transfer function (trough expression simpli- 
fication) , this is not sufficient to treat tests precisely. For this, we need relational 
domains. Fortunately, Tlrm. 1 also means that if we have a relational domain 
that manipulates sets of points with real coordinates K v and that is able to 
perform assignments and tests of linear expressions with interval coefficients, we 
can use it to perform relational analyses on floating-point variables. Consider, 
for instance, the following algorithm to handle an assignment v <— expr f in such 
a relational domain (the procedure would be equivalent for tests): 

• If [e:rpr f ]^ = 17, then we report a run-time error and apply the transfer 
function for v <— Ff . 

• Else, if the linearization of expr f fails, then we do not report an error but 
apply the transfer function for v <— [expr f ]*/A 

• Otherwise, we do not report an error but apply the transfer function for 
v 1— (| expr { Dp**. 

Remark how we use the interval arithmetics to perform the actual detection of 
run-time errors and as a fallback when the linearization cannot be used. 

6 Adapting Relational Abstract Domains 

We first present in details the adaptation of the octagon abstract domain [14] to 
use floating-point arithmetics and interval linear forms, which was implemented 
in our second prototype analyzer [4]. We then present in less details some ideas 
to adapt other domains. 

6.1 The Octagon Abstract Domain 

The octagon abstract domain [14] can manipulate sets of constraints of the form 
±x ±y<c, x,y£V,cG E where E can be Z, Q, or K. An abstract element 
o is represented by a half-square constraint matrix of size |V|. Each element at 
line i, column j with i < j contains four constraints: ty + Vj < c, ty — Vj < c, 
— Vi + Vj < c, and — ty — Vj < c, with c6E = EU {+oo}. Remark that diagonal 
elements represent interval constraints as 2 ry < c and —2 ty < c. In the following, 
we will use notations such as max 0 (ry + Vj) to access the upper bound, in E, of 
constraints embedded in the octagon o. 

Because constraints in the matrix can be combined to obtain implied con- 
straints that may not be in the matrix (e.g., from x — y < c and y + z < d, we 
can deduce x + z < c + d), two matrices can represent the same set of points. 
We introduced in [14] a Floyd-Warslrall-based closure operator that provides a 
normal form by combining and propagating, in 0(|V| 3 ) time, all constraints. The 
optimality of the abstract operators requires to work on closed matrices. 

Floating-Point Octagons. In order to represent and manipulate efficiently 
constraints on real numbers, we choose to use floating-point matrices: Ff a re- 
places E (where fa is, as before, an efficient floating-point format chosen by the 
analyzer implementation). As the algorithms presented in [14] make solely use of 
the + and < operators on E, it is sufficient to replace + by ®f a ,+oo and map Q 
to +oo in these algorithms to provide a sound approximation of all the transfer 




12 



A. Mine 



functions and operators on reals using only Ff a = Ff a U {+oo}. As all the nice 
properties of E are no longer true in Ff a , the closure is no longer a normal form. 
Even though working on closed matrices will no longer guaranty the optimality 
of the transfer functions, it still greatly improves their precision. 

Assignments. Given an assignment of the form Vk +- l, where l is a interval 
linear form, on an octagon o, the resulting set is no always an octagon. We can 
choose between several levels of approximation. Optimality could be achieved 
at great cost by performing the assignment in a polyhedron domain and then 
computing the smallest enclosing octagon. We propose, as a less precise but 
much faster alternative (0(|V| time cost), to replace all constraints concerning 
the variable Vk by the following ones: 

Vk + Vi < u( o, l EE^ Vi) Vi ^ k 

v k - Vi < u( o, l E=]B Vi) Mi ^ k 

— Vk + Vi < u( o, Vi B* l) Mi ^ k 

— Vk — Vi < u( o, B#(Z EH* v^) Mi ^ k 

Vk < u( o, l) 

— Vk <u(o,BH) 

where the upper bound of a linear form l on an octagon o is approximated 
by u( o, l) G Ff a as follows: 



lo, [a ;a + ] + ^[a„ ;a+]v J = a + ® fa , +c 
V / vev J 



©fa +oc max(max 0 (u) ®f a ,+oo a+, ©(max 0 (-u) <g>f a ,-oo a+), 
\ veV a ’ °° maxo(u) 0 fa , + 00 &V 5 e(max 0 (— u) ®f a ,-oo a v )) 

(any summation order for (B f a ,+oo is sound) 

and ©f a ,+oo and ®fa,+oo are extended to Ff a as follows: 



+0O ®f a ,+oo X = X ®fa,+oo + 00 = +0O 

f 0 

+00 0f a ,+oo X = X ®fa,+oo + 0O = < 



0 if x = 0 
+oo otherwise 



Example 1. Consider the assignment X = Y ® 32 , n Z with Y,Zg [0; 1]. It is 
linearized as X = [1 — 2 -23 ; 1 + 2 _23 ](F + Z) + m/ 32 [— 1; 1], so our abstract 
transfer function will infer relational constraints such as X—Y < l+2 _22 + ra/ 32 . 

Tests. Given a test of the form li < l 2 , where l\ and l 2 are linear forms, for all 
variable V{ ^ Vj, appearing in l\ or l 2 , the constraints in the octagon o can be 
tightened by adding the following extra constraints: 

Vj — Vi < u(o, l 2 B** Zi B# Vi EEI^ Vj) 

Vj + Vi < u(o, l 2 B^ li fflU Vi E0tf Vj) 

— Vj — Vi < u{ o, l 2 B** l\ B** Vi B# Vj) 

— Vj + Vi < u(o, l 2 B* l\ B^ Vi B^ Vj) 

Vi < u(o, l 2 B* li fflt* vf) 




Relational Abstract Domains 



13 



—Vi < u( o, l 2 B # li B # Vi) 

Example 2. Consider the test Y © 32 ,™ Z < 1 with Y, Z G [0; 1], It is linearized as 
[1 — 2 -23 ; 1 + 2 -23 ](F + Z) + m/ 32 [— 1; 1] < [1; 1]. Our abstract transfer function 
will be able to infer the constraint: Y + Z < 1 + 2~ 22 + mf 32 - 

Example 3. The optimal analysis of the rate limiter function of Fig. 3 would 
require representing interval linear invariants on three variables. Nevertheless, 
the octagon domain with our approximated transfer functions can prove that 
the output Y is bounded by [—136; 136] independently from n (the optimal 
bound being [—128; 128]), which is sufficient to prove that Y does not overflow. 

Reduction with Intervals. The interval environment pr is important as we use 
it to perform run-time error checking and to compute the linear form associated 
to an expression. So, we suppose that transfer functions are performed in parallel 
in the interval domain and in the octagon domain, and then, information from 
the octagon result o is used to refine the interval result p $ as follows: for each 
variable t)£V, the upper bound of p$( v) is replaced by min(maxptf(i>), max 0 (v)) 
and the same is done for its lower bound. 

6.2 Polyhedron Domain 

The polyhedron domain is much more precise than the octagon domain as it al- 
lows manipulating sets of invariants of the form c v v < c, but it is also much 
more costly. Implementations, such as the New Polka or the Parma Polyhedra 
libraries [2], are targeted at representing sets of points with integer or ratio- 
nal coordinates. They internally use rational coefficients and, as the coefficients 
usually become fairly large, arbitrary precision integer libraries. 

Representing Reals. These implementations could be used as-is to abstract 
sets of points with real coordinates, but the rational coefficients may get out 
of control, as well as the time cost. Unlike what happened for octagons, it is 
not so easy to adapt the algorithms to floating-point coefficients while retaining 
soundness as they are much much more complex. We are not aware, at the time 
of writing, of any such floating-point implementation. 

Assignments and Tests. Assignments of the form v t— l and tests of the form 
l < 0 where l = [a - ; a + ] + X)„ 6V [a“; a+]r> seem difficult to abstract in general. 
However, the case where all coefficients in l are scalar except maybe the constant 
one is much easier. To cope with the general case, an idea (yet untested) is to use 
the following transformation that abstracts l into an over-approximated linear 
form V where \/v, a~ = a 3 " by transforming all relative errors into absolute ones: 

V = ( [a”;a + ] ®f a 0 fa (a+ ©f a ,+oo a~) ©4 [0.5; 0.5] <S>j| a p # (u) ) + 

V vGV a / 

J^((a“ ©fa, +00 a+) ©fe [0.5; 0.5])u 

vGV 

(any summation order for ©J a is sound) 




14 



A. Mine 



6.3 Two Variables per Linear Inequalities Domain 

Simon’s domain [15] can manipulate constraints of the form avi + fivj < c, 
ot,(3,c £ Q. An abstract invariant is represented using a planar convex poly- 
hedron for each pair of variables. As for octagons, most computations are done 
point-wise on variable pairs and a closure provides the normal form by propagat- 
ing and combining constraints. Because the underlying algorithms are simpler 
than for generic polyhedra, adapting this domain to handle floating-point com- 
putations efficiently may prove easier while greatly improving the precision over 
octagons. This still remains an open issue. 

6.4 Ellipsoid and Digital Filter Domains 

During the design of our prototype analyzer [4] , we encountered code for comput- 
ing recursive sequences such as X t = ((a® 32 ,n Aj_ 1 )0 32 , f i (/3®32,n Aj_2))©32,n7 
(1), or Xi = (a (© 32 , n Xi- 1 ) 032, n (Vi 032, n Yi-i ) (2). In order to find precise 
bounds for the variable X, one has to consider invariants out of the scope of 
classical relational abstract domains. Case (1) can be solved by using the el- 
lipsoid abstract domain of [4] that can represent non-linear real invariants of 
the form aXf + bXf _ + cX i X i _\ < d, while case (2) is precisely analyzed 
using Feret’s filter domains [9] by inferring temporal invariants of the form 
| A,; | < a maxj<, |Yj-| + b. It is not our purpose here to present these new ab- 
stract domains but we stress the fact that such domains, as the ones discussed 
in the preceding paragraphs, are naturally designed to work with perfect reals, 
but used to analyze imperfect floating-point computations. 

A solution is, as before, to design these domains to analyze interval linear as- 
signments and tests on reals, and feed them with the result of the linearization of 
floating-point expressions defined in Sect. 5. This solution has been successfully 
applied (see [9] and Sect. 8). 



7 Convergence Acceleration 

In the Abstract Interpretation framework, loop invariants are described as fix- 
points and are over-approximated by iterating, in the abstract, the body transfer 
function F ® until a post-fixpoint is reached. 



Widening. The widening V is a convergence acceleration operator introduced 
in [6] in order to reduce the number of abstract iterations: lim, (i 7 '^)* is replaced 
by Imp E\ where E\ +1 = E\ V F\e\). A straightforward widening on intervals 
and octagons is to simply discard unstable constraints. However, this strategy 
is too aggressive and fails to discover sequences that are stable after a certain 
bound, such as, e.g., X = {a ®s 2 ,n A) 0 32 , n P- To give these computations a 
chance to stabilize, we use a staged widening that tries a user-supplied set of 
bounds in increasing order. As we do not know in advance which bounds will be 
stable, we use, as set T of thresholds, a simple exponential ramp: T = {±2 I }(~lFf a . 
Given two octagons o and o', the widening with thresholds o V o' is obtained by 
setting, for each binary unit expression in* ± up 

max 0 (C) if max 0 /(C') < max 0 (C) 

m in {t £ T U {+oo} | t > max 0 /(C)} otherwise 



maxovo'(C') = 




Relational Abstract Domains 



15 



Decreasing Iterations. We now suppose that we have iterated the widening 
with thresholds up to an abstract post-fixpoint X$: F^(X^) C XK The bound of 
a stable variable is generally over-approximated by the threshold immediately 
above. One solution to improve such a bound is to perform some decreasing 
iterations Xf +1 = X\ n F(Xf) from Xq = XK We can stop whenever we wish, 
the result will always be, by construction, an abstraction of the concrete fixpoint; 
however, it may no longer be a post-fixpoint for FK It is desirable for invariants 
to be abstract post-fixpoint so that the analyzer can check them independently 
from the way they were generated instead of relying solely on the maybe buggy 
fixpoint engine. 

Iteration Perturbation. Careful examination of the iterates on our bench- 
marks showed that the reason we do not get an abstract post-fixpoint is that the 
abstract computations are done in floating-point which incurs a somewhat non- 
deterministic extra rounding. There exists, between F^’s definitive pre-fixpoints 
and F^s definitive post-fixpoints, a chaotic region. To ensure that the X\ stay 
above this region, we replace the intersection n used in the decreasing iterations 
by the following narrowing A: o A o' = e(o n o') where e(o) returns an octagon 
where the bound of each unstable constraint is enlarged by e x d, where d is the 
maximum of all non +oo constraint bounds in o. Moreover, replacing o V o' by 
e(o V o') allows the analyzer to skip above F^s chaotic regions and effectively 
reduces the required number of increasing iterations, and so, the analysis time. 

Theoretically, a good e can be estimated by the relative amount of rounding 
errors performed in the abstract computation of one loop iteration, and so, is a 
function of the complexity of the analyzed loop body, the floating-point format fa 
used in the analyzer and the implementation of the abstract domains. We chose 
to fix e experimentally by enlarging a small value until the analyzer reported 
it found an abstract post-fixpoint for our program. Then, as we improved our 
abstract domains and modified the analyzed program, we seldom had to adjust 
this e value. 

8 Experimental Results 

We now show how the presented abstract domains perform in practice. Our only 
real-life example is the critical embedded avionics software of [4]. It is a 132, 000 
lines reactive C program (75 KLoc after preprocessing) containing approximately 
10, 000 global variables, 5, 000 of which are floating-point variables, single preci- 
sion. The program consists mostly of one very large loop executed 3.6- 10 6 times. 
Because relating several thousands variables in a relational domain is too costly, 
we use the “packing” technique described in [4] to statically determine sets of 
variables that should be related together and we end up with approximately 
2,400 octagons of size 2 to 42 instead of one octagon of size 10, 000. 

Fig. 4 shows how the choice of the abstract domains influence the precision 
and the cost of the analysis presented in [4] on our 2.8 GHz Intel Xeon. Together 
with the computation time, we also give the number of abstract executions of the 
big loop needed to find an invariant; thanks to our widenings and narrowings, 
it is much much less than the concrete number of iterations. All cases use the 




16 



A. Mine 



j domains 


time 


nb. of 
iterations 


memory 


nb. of 
alarms 


linearize 


octagons 


filters 


X 


X 


X 


1623 s 


150 


115 MB 


922 


V 


X 


X 


4001 s 


176 


119 MB 


825 


V 


V 


X 


3227 s 


69 


175 MB 


639 


s/ 


X 


V 


8939 s 


211 


207 MB 


363 


s/ 


V 


s/ 


4541 s 


72 


263 MB 


6 



Fig. 4. Experimental results. 



interval domain with the symbolic simplification automatically provided by the 
linearization, except (1) that uses plain interval analysis. Other lines show the 
influence of the octagon (Sect. 6.1) and the specialized digital filter domains 
([9] and Sect. 6.4): when both are activated, we only get six potential run- 
time errors for a reasonable time and memory cost. This is a sufficiently small 
number of alarms to allow manual inspection, and we discovered they could 
be eliminated without altering the functionality of the application by changing 
only three lines of code. Remark that as we add more complex domains, the time 
cost per iteration grows but the number of iterations needed to find an invariant 
decreases so that a better precision may reduce the overall time cost. 

9 Conclusion 

We presented, in this paper, an adaptation of the octagon abstract domain in 
order to analyze programs containing IEEE 754-compliant floating-point oper- 
ations. Our methodology is somewhat generic and we proposed some ideas to 
adapt other relational numerical abstract domains as well. The adapted octagon 
domain was implemented in our prototype static analyzer for run-time error 
checking of critical C code [4] and tested on a real-life embedded avionic appli- 
cation. Practical results show that the proposed method scales up well and does 
greatly improve the precision of the analysis when compared to the classical in- 
terval abstract domain while maintaining a reasonable cost. To our knowledge, 
this is the first time relational numerical domains are used to represent relations 
between floating-point variables. 

Acknowledgments. We would like to thank all the members of the “magic” 
team: Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jerome Feret, Laurent 
Mauborgne, David Monniaux, Xavier Rival, as well as the anonymous referees. 

References 

1. Y. Ait Ameur, G. Bel, F. Boniol, S. Pairault, and V. Wiels. Robustness analysis 
of avionics embedded systems. In LCTES’03 , pages 123-132. ACM Press, 2003. 

2. R. Bagnara, E. Ricci, E. Zaffanella, and P. M. Hill. Possibly not closed convex 
polyhedra and the Parma Polyhedra Library. In SAS’02, volume 2477 of LNCS, 
pages 213-229. Springer, 2002. 





Relational Abstract Domains 



17 



3. B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Mine, D. Monniaux, 
and X. Rival. Design and implementation of a special-purpose static program 
analyzer for safety-critical real-time embedded software, invited chapter. In The 
Essence of Computation: Complexity, Analysis, Transformation. Essays Dedicated 
to Neil D. Jones, LNCS, pages 85-108. Springer, 2002. 

4. B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Mine, D. Monniaux, 
and X. Rival. A static analyzer for large safety-critical software. In ACM PLDI’03, 
volume 548030, pages 196-207. ACM Press, 2003. 

5. IEEE Computer Society. IEEE standard for binary floating-point arithmetic. Tech- 
nical report, ANSI/IEEE Std 745-1985, 1985. 

6. P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for 
static analysis of programs by construction or approximation of fixpoints. In ACM 
POPL 77, pages 238-252. ACM Press, 1977. 

7. P. Cousot and R. Cousot. Abstract interpretation frameworks. Journal of Logic 
and Computation, 2(4) :51 1-547, August 1992. 

8. P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among 
variables of a program. In ACM POPL’78, pages 84-97. ACM Press, 1978. 

9. J. Feret. Static analysis of digital filters. In ESOP’Of. LNCS, 2004. 

10. D. Goldberg. What every computer scientist should know about floating-point 
arithmetic. ACM Computing Surveys ( CSUR ), 23(l):5-48, 1991. 

11. E. Goubault. Static analyses of floating-point operations. In SAS’01, volume 2126 
of LNCS, pages 234-259. Springer, 2001. 

12. G. Kildall. A unified approach to global program optimization. In POPL ’73, pages 
194-206. ACM Press, 1973. 

13. M. Martel. Static analysis of the numerical stability of loops. In SAS’02, volume 
2477 of LNCS, pages 133-150. Springer, 2002. 

14. A. Mine. The octagon abstract domain. In AST 2001 in WCRE 2001, IEEE, pages 
310-319. IEEE CS Press, 2001. 

15. A. Simon, A. King, and .1. Howe. Two variables per linear inequality as an abstract 
domain. In LOPSTR’02, volume 2664 of LNCS, pages 71-89. Springer, 2002. 

16. R. Skeel. Roundoff error and the Patriot missile. SIAM News, 25(4):11, July 1992. 

17. J. Vignes. A survey of the CESTAC method. In J-C. Bajard, editor, Proc. of Real 
Numbers and Computer Conference, 1996. 




Strong Preservation as Completeness in 
Abstract Interpretation 



Francesco Ranzato and Francesco Tapparo 



Dipartimento di Matematica Pura ed Applicata, Universita di Padova 
Via Bclzoni 7, 35131 Padova, Italy 
{f ranz , tapparo}@math.unipd. it 



Abstract. Many algorithms have been proposed to minimally refine 
abstract transition systems in order to get strong preservation relatively 
to a given temporal specification language. These algorithms compute 
a state equivalence, namely they work on abstractions which are parti- 
tions of system states. This is restrictive because, in a generic abstract 
interpretation-based view, state partitions are just one particular type 
of abstraction, and therefore it could well happen that the refined parti- 
tion constructed by the algorithm is not the optimal generic abstraction. 
On the other hand, it has been already noted that the well-known con- 
cept of complete abstract interpretation is related to strong preservation 
of abstract model checking. This paper establishes a precise correspon- 
dence between complete abstract interpretation and strongly preserving 
abstract model checking, by showing that the problem of minimally re- 
fining an abstract model checking in order to get strong preservation 
can be formulated as a complete domain refinement in abstract inter- 
pretation, which always admits a fixpoint solution. As a consequence of 
these results, we show that some well-known behavioural equivalences 
used in process algebra like simulation and bisimulation can be elegantly 
characterized in pure abstract interpretation as completeness properties. 



1 Introduction 

The design of any abstract model checking framework and/or tool comes always 
together with a preservation result, roughly stating that for a formula ip specified 
in some temporal language £ , the validity of <p on the abstract model implies 
the validity of p> on the concrete model. On the other hand, strong preservation 
means that any formula of £ is valid in the abstract model if and only if it is 
valid in the concrete model. Strong preservation is highly desirable since it allows 
to draw consequences from negative answers on the abstract side. 

This paper follows a standard abstract interpretation approach to abstract 
model checking, as applied for instance in temporal abstract interpretation [9]. 
The concrete state semantics of a temporal specification language £ is given by a 
function [•] mapping a formula p £ £ to the set of states s £ State satisfying p, 
that is [y>] = {s£ State \ s f= p}. This concrete state semantics is approximated 
by the abstract semantics induced by any abstract interpretation of p(State), 

D.A. Schmidt (Ed.): ESOP 2004, LNCS 2986, pp. 18-32, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 




Strong Preservation as Completeness in Abstract Interpretation 



19 



namely a Galois connection (or, equivalently, a closure operator). This approach 
is more general than classical abstract model checking [5,6] where the abstract 
model is, analogously to the concrete model, a transition system or a Kripke 
structure. In our framework, this classical approach corresponds to a particu- 
lar case of abstraction, namely an abstract domain encoding a partition of the 
system states. In a general abstract interpretation setting, an abstract model 
checking is associated to any abstraction of the powerset of system states, and 
this obviously enables a hirer-grain taxonomy of abstract model checkers. The 
concept of complete abstract interpretation is well known [8,15]: this encodes an 
ideal situation where the abstract semantics coincides with the abstraction of 
the concrete semantics. It should be quite clear that completeness of an abstract 
interpretation with respect to some semantic functions and strong preservation 
of an abstract model checker with respect to a temporal language are, somehow, 
related concepts: this was first formalized by Giacobazzi and Quintarelli [13], 
who put forward a method for systematically refining abstract model checking 
in order to eliminate Clarke et al.’s [4] spurious counterexamples. The relation- 
ship between completeness and spurious counterexamples was further studied in 
[10], where it is also shown that stability a la Paige and Tarjan [20] for a state 
partition can be formulated through complete abstract interpretations. 

We first generalize the notion of classical strong preservation to our abstract 
interpretation framework. Namely, the classical concept of strong preservation 
for an abstract model specified as an abstract transition system, viz. a state 
partition, is here generalized to an abstract model specified by any generic ab- 
stract domain. It turns out that any generic abstract model induces a classical 
partition-based abstract model checking, but this could give rise to a loss of 
information. Our results rely on the notion of forward complete abstract do- 
main. An abstract domain p, viewed as a closure operator (closure operators are 
particularly useful here since they allow us to be independent from the represen- 
tation of abstract objects), is forward complete for a concrete semantic function 
/ : Concrete —> Concrete when po fo p = fop. Forward completeness is dual to 
the aforementioned standard completeness, i.e. po f o p = po f — called back- 
ward completeness — and intuitively states that when the concrete function / is 
restricted to abstract objects then it coincides with the abstract function p o /, 
i.e., the best correct approximation of / in the abstract domain p. Giacobazzi et 
al. [15] showed how to systematically and constructively derive backward com- 
plete abstract domains from non-complete ones by minimal refinements. This 
can be done for forward completeness as well: Given any domain p, the most 
abstract domain which refines p and is forward complete for / does exist and it 
can be characterized as a greatest hxpoint. We call such a domain the (forward) 
complete shell of p for /. 

Let us turn to strong preservation. We consider generic inductively defined 
languages £, generated from atomic propositions and a set of logical operators 
op 1 , ..., op k whose interpretations are opi : p(State) n — > p(State), where n is the 
arity of the operator. In our framework any abstraction p of p(States) induces 
an abstract semantics [-] M : C — »• p for the language C. Given any abstraction p, 




20 



F. Ranzato and F. Tapparo 



we show that the most abstract semantics which refines p and is strongly pre- 
serving for C is precisely the complete shell of p for all the language operators 
op 1 ? op n . This result can be also read as follows. A number of algorithms have 
been proposed to minimally refine classical abstract models, i.e. state partitions, 
in order to get strong preservation relatively to some relevant temporal specifi- 
cation languages. Typically, these are coarsest partition refinement algorithms 
which compute the state equivalence induced by some behavioural state equiv- 
alence, e.g., bisimulation, stuttering equivalence (or branching bisimulation) or 
simulation equivalence, since they exploit the fact that this behavioural equiv- 
alence coincides with the state equivalence =c induced by a temporal language 
C, namely, s =c s' iff s and s' agree on each formula of C. This is the case 
of Paige and Tarjan algorithm [20] for strong preservation of CTL* [2] and of 
Groote and Vaandrager algorithm [16] for strong preservation of CTL*-X. Our 
results allow us to provide a clean and elegant generalization of these coarsest 
partition refinement algorithms in our abstract interpretation framework. Due 
to lack of space we do not consider stuttering equivalence here (we refer to the 
full version of the paper). 



2 Basic Notions 

Notation. Let X be any set. When writing a set S £ p(p(X)), we often write the 
sets in S in a compact form like in {1,12,123} £ p(p({l, 2, 3})). C denotes the 
complement operator. Fun(X) denotes the set of all the functions / : X n — >■ X, 
for some n > 0. When n = 0, / is just a specific object of X. We will denote by 
Part(A) the set of partitions on X. The sets in a partition are called blocks. If 
= C X x X is an equivalence relation then we will denote by P= £ Part(X) the 
corresponding partition of X. Vice versa, if P £ Part(X) then we will denote by 
=p CIxI the corresponding equivalence relation on X. Part (A) is endowed 
with the following standard partial order =<(: given P 1 ,P 2 £ Part(A), Pi =4 P 2 , 
i.e. P 2 is coarser than Pi (or Pi refines P 2 ) iff \/B £ Pi. 35' £ P 2 .P C B'. 

We consider transition systems ( Q , R) where the relation R C Q x Q (also 
denoted by — >) is total, i.e., for any s £ Q there exists some t £ Q such that sR.t,. 
A Kripke structure ( Q , R, AP,£ ) consists of a transition system (Q, R) together 
with a (typically finite) set AP of atomic propositions and a labelling function 
£ : Q — > p(AP). A transition relation R C Q x Q defines the usual pre/post 
transformers on p(Q): pre[P], pre[P], post [A], post[A]. 

Abstract interpretation and completeness. In standard Cousot and Cousot’s ab- 
stract interpretation theory, abstract domains can be equivalently specified ei- 
ther by Galois connections or by (upper) closure operators (uco’s) [8]. These 
two approaches are equivalent, modulo isomorphic representations of domain’s 
objects. The closure operator approach has the advantage of being indepen- 
dent from the representation of domain’s objects and is therefore appropri- 
ate for reasoning on abstract domains independently from their representation. 
Given a complete lattice C , it is well known that the set 1100(17) of all uco’s 




Strong Preservation as Completeness in Abstract Interpretation 



21 



on C , endowed with the pointwise ordering C, gives rise to the complete lat- 
tice (uco(C), C, U, n, Ax.Tcf, id). Let us recall that each p £ uco(C) is uniquely 
determined by the set of its fixpoints, which is its image. Moreover, a sub- 
set X C C is the set of fixpoints of a uco on C iff X is meet-closed, i.e. 
X = M(X) = f {AH | Y C X} (where T c — A c 0 € A1(A)). M{X) is called the 
Moore-closure of X. Also, pQ p iff p(C) C p(C); in this case, we say that p is a 
refinement of p. Often, we will identify closures with their sets of fixpoints since 
this does not give rise to ambiguity. In view of the equivalence above, throughout 
the paper, (uco(C), C) will play the role of the lattice of abstract interpretations 
of C [7,8], i.e. the complete lattice of all the abstract domains of the concrete 
domain C. The ordering on uco(C) corresponds to the standard order used to 
compare abstract domains with regard to their precision: A\ is more precise than 
A 2 (or A 2 is more abstract than A\) iff A 1 O A 2 in uco(C). 

Let / : C — > C be a concrete semantic function and let /** : A — > A be a 
corresponding abstract function, where A = p(C) for some closure p £ uco(C). 
Then, (A, ft) is a sound abstract interpretation when p o f C ft o p. The ab- 
stract function p o f : A — > A is called the best correct approximation of / in A. 
Completeness in abstract interpretation corresponds to require that, in addition 
to soundness, no loss of precision is introduced by the approximated function 
ftop on a concrete object c £ C with respect to approximating by p the concrete 
computation /(c), namely the equation p o f = /# o p holds. The following dual 
form of completeness may be considered. The soundness equation p o f C /# o p 
is also equivalent to the equation / o p C p o p. Then, forward completeness for 
ft corresponds to the equation / o p = ft o p, and therefore means that no loss 
of precision occurs by approximating a concrete computation of / on an abstract 
object a £ A with the abstract computation of ft on the same a. 

Giacobazzi et al. [15] observed that completeness uniquely depends upon the 
abstraction map, namely, one may define a complete abstract semantic operation 
ft : A — ► A over A if and only if p o f : A — >■ A is complete. Hence, an abstract 
domain p £ uco(C) is defined to be complete {orfiSpof = pofop holds. 
This simple observation makes completeness an abstract domain property. The 
same observations are also true for forward completeness, which is therefore a 
domain property as well: p is forward complete iff fop = pofop. This jus- 
tifies the terminology forward completeness and, dually, backward completeness 
for the first standard form of completeness. A constructive characterization of 
backward complete abstract domains is given in [15], under the assumption of 
dealing with Scott-continuous concrete functions. This result allows to system- 
atically and constructively derive complete abstract domains from non-complete 
ones by minimal refinements: this complete minimal refinement of a domain A 
for a function / is called backward complete shell of A for /. 



3 Partitions as Abstractions 

Let Q be any (possibly infinite) set of states. We associate to a closure p £ 
uco(p(<5)c) a state equivalence = M on Q , i.e. a partition of Q, by identifying 




22 



F. Ranzato and F. Tapparo 



those states that cannot be distinguished by the closure p, namely those states 
belonging to the same set of fixpoints of the closure p: 

s = M s' ^ VS £ p. (s £ S <=> s' £ S). 

It is easy to show that s = M s' iff p({s}) = p({s'}). Hence, this allows us to view 
partitions as particular abstractions of p{Q). We will denote by par(p) £ Part(Q) 
the partition associated to the abstract domain ^ i £ uco (p(Q)). For example, 
for Q = {1,2,3}, the closures // j = {1,12,13,123}, p 2 = {0,1,2,3,123} and 
/X3 = p({l,2,3}) all induce the same partition par(/z) = {{1}, {2}, {3}}. How- 
ever, these closures carry additional information other than the underlying state 
partition, and this additional information allows us to distinguish them. It is 
then natural to say that a closure p represents exactly a state partition when p 
carries all this possible additional information, or, otherwise stated, when p is 
the most precise among the closures inducing a given partition. 

Definition 3.1. p is partitioning if p = P(/z) = f n {77 £ uco(p(Q)) | = v = = M }. 
uco p (p(Q)) will denote the set of partitioning closures. □ 

The operator P is a refinement of abstract domains in the sense of [14], i.e., 
it can be proved that P is a lower closure operator on uco(p(Q)). Accordingly, 
P will be called the partitioning shell operator. It turns out that partitioning 
closures can be characterized as follows. 

Lemma 3.2. Let p £ uco (p(Q)). Then, p £ uco p (p(Q)) iff p is additive and 
{/x({g})} gS Q is a partition of Q. Moreover, in this case, par (p) = {/x({i?})} g e<2- 

For instance, for all the above closures we have that P (pf) = p({l,2,3}), 
and hence p\ and p 2 are not partitioning. Also, the closure {0,3,12,123} is 
partitioning and represents the partition {12, 3}. 

Lemma 3.2 allows us to see classical partition-based abstractions — i.e., 
partitions induced by a surjective abstraction map “ft” in the style of Clarke et 
al. [5] - as a particular case of generic abstract domain through the following 

isomorphism between partitions and partitioning closures: 

par : uco p (p(Q)) — > Part(Q) is the restriction of the above operator par to 
partitioning closures, i.e. par(/i) = {/lx({< 7}) | q £ Q }; 

- pci : Part(<2) — ► uco p (p(<5)) is defined as follows: pcl(P) = f P(A4(P)) = AX £ 
p(Q).U{B £ P | IflB/0 }. 

Theorem 3.3. The mappings par and pci are well defined and give rise to an 
order isomorphism between (Part(Q), =^) and (uco p (p((2)), C). 

4 Strongly Preserving Abstract Model Checking 

We deal with specification languages C whose syntactic (state) formulae p are 
inductively defined by a grammar: 

p::=p\ /(pi,...,p n ) 




Strong Preservation as Completeness in Abstract Interpretation 



23 



where p £ AP ranges over a finite set of atomic propositions and / £ Op ranges 
over a finite set of operators. Each operator / £ Op will have an arity 1 jj(/) > 0. 

The concrete semantic domain for interpreting formulae is the boolean alge- 
bra (p(Q), C), where Q is any (possibly infinite) set of states. The state semantics 
of formulae in C is determined by an interpretation function I such that for any 
p £ AP , I(p) £ p(Q) and for any / £ Op, 1(f) : p(Q )^ — > p(Q). We will 
also use the notations p and f to denote, respectively, I(p) and 1(f). As usual, 
the interpretation I on AP can be equivalently specified by a labelling function 
£ : Q — > p(AP) provided that £(s) = {p £ AP \ s £ I(p)} holds for any s. 
The concrete state semantic function [•]/ : C — > p(Q) is inductively defined as 
follows: 

[P]/ = P and lf(<Pl,-,<Pn)]l 

We will freely use standard logical and temporal operators together with their 
usual interpretations: for example, A/fl, V/U, — >/C, EX/ pre[A], etc. 

If g is any synctatic operator with arity §(g) = n whose semantics is given by 
g : p(Q) n —> p(Q) then we say that the language C is closed under g when for 
any <pi, ...,ip n £ C, there exists some if £ C such that g([<pi]/, •••, [<£n]j) = Mr- 
Let us now apply the standard abstract interpretation approach for defining 
abstract semantics. Consider any abstract domain p £ uco(p(Q)). The abstract 
semantic function [•]/ : C —> p, induced by the abstract domain p evaluates 
any formula ip £ C to an abstract value [p] f belonging to p. |-]j is induced by 
the abstraction p (and the interpretation I) and is inductively defined as best 
correct approximation of the concrete semantics as follows: 

Ip1j=Mp) and I/Mi ••■>¥>«)]/ = M f (MlM--> Ml/))- 

Generalizing strong preservation. Classical abstract model checking [5,6] 
is state-based, namely it relies on an abstract model which, like the concrete 
model, is a transition system. If T = (Q,R) is the concrete transition system 
then this classical approach is based on a surjective abstraction h : Q — >■ A 
mapping concrete states into abstract states, namely a state partition Ph £ 
Part(Q) is required. This gives rise to an abstract model A = ( A,R **) which 
is a transition system, where, typically, the abstract transition relation Rf is 
existentially defined as the following f? 33 : 

h(si)R^h(s 2 ) <t=> 3s/, s' 2 .h(s'f) = h(s\) & h(s' 2 ) = h(s 2 ) & s/ Rs' 2 - 

Abstract model checking then consists in checking a temporal formula Lp specified 
in some language C in the abstract model A: a preservation theorem ensures that 
if a ip and h(s) = a then s |=” T ip. In this classical state-based framework, 
strong preservation (s.p. for short) for C means that for any tp £ C, if h(s) = a 
then a \= A <p <t=> s \= r tp. Loiseaux et al. [19] generalized this approach to 
more general abstract models where an abstraction relation a C Q x A is used 
instead of the surjection h : Q — >■ A. However, the strong preservation results 
given there (cf. [19, Theorems 3 and 4]) require the hypothesis that the relation 

1 It is possible to consider generic operators whose arity is any possibly infinite ordinal, 
thus allowing, for example, infinite conjunctions or disjunctions. 




24 



F. Ranzato and F. Tapparo 



a is difunctional: as a consequence, the class of abstract models allowed by this 
framework is not really larger than the class of classical partition-based abstract 
models (see the detailed discussion by Dams et al. [12, Sect. 8.1]). 

Following Dams [11, Sect. 6.1], the above classical state-based notion of strong 
preservation can be equivalently given through state equivalences as follows. 
The language £ and the semantic function [•]/ induce the following state logical 
equivalence =c CQxQ:s =c s' iff Vp £ £. s £ [p]/ <£> s' £ [p]j. Let Pc £ 
Part(Q) be the corresponding partition of Q. Then, a partition P £ Part(Q) 
is strongly preserving for C (and interpretation I) if P =4 Pci while P is fully 
abstract 2 for £ if P = Pc- For most known temporal languages (e.g., CTL*, 
CTL-X, VCTL*, see [11]), if the partition P is s.p. for £ then it turns out 
that the quotient transition system (Q/= p ,P 33 ) is s.p. for C. Moreover, if P is 
fully abstract then the quotient (Q/= P ,P 33 ) is the smallest transition system 
(smallest in the number of states) that strongly preserves C. 

We consider now an equivalent formulation of strong preservation for parti- 
tions that will allow us to generalize the notion of strong preservation to generic 
abstract domains. We showed above how any partition P £ Part(Q) can be 
viewed as a partitioning closure pcl(P) £ uco p (p(Q)). Thus, any partition P in- 
duces the abstract semantics |-]f = [-]/ Cl(P) : C — > pcl(P). The following result 
characterizes strong preservation for P in terms of the associated closure pcl(P). 

Lemma 4.1. P £ Part(Q) is s.p. for C and I iff 'ip £ £ and s £ Q, s £ [p] / 4=> 

pci(P)(W) c Mf. 

Let us stress the paradigm shift stated by Lemma 4.1. This tells us that a 
partition P £ Part(Q) is s.p. for £ and I if and only if to check that some 
system state s £ Q satisfies some formula p £ £, i.e. s £ [p]j, is equivalent to 
checking whether the abstract state associated to s, i.e. the block pcl(P)({s}) 
of P containing s, is less than or equal to, namely is contained in, the abstract 
semantics [p]f of p, which is an element of the abstract domain pcl(P). Here, the 
key observation is that in our abstract interpretation-based framework partitions 
are just particular abstract domains. Thus, the above characterization leads to 
generalize the notion of strong preservation from partitions to generic abstract 
semantic functions as follows. 

Definition 4.2. Let I be an interpretation for a language C (inducing the con- 
crete semantic function [•]/). Let p £ uco(p(Q)) and let [•]* : £ — > p be an 
abstract semantic function for £. We say that |-]^ is strongly preserving for £ 
and / if for any S C Q and ip £ £, p(S) C [<p]N 4=> S C [p]/. □ 

Definition 4.2 generalizes classical state-based strong preservation, as char- 
acterized by Lemma 4.1, both to an arbitrary abstract domain p £ uco(p(Q)) 
and to an arbitrary semantic function |-p : £ — > p evaluating formulae on p. 
Hence, [■]** may be different from the abstract semantics |-]j induced by the 
abstract domain p. It turns out that indeed this notion of strong preservation 

2 Dams [11] uses the term “adequate”. 




Strong Preservation as Completeness in Abstract Interpretation 



25 



is an abstract domain property, namely if a s.p. abstract semantics [■]** may be 
defined on some abstract domain p then the induced abstract semantics |-]j is 
s.p. as well, as stated by the following result. 

Lemma 4.3. If [■]# : £ —> p is strongly preserving for £ and I then |-]j is 
strongly preserving for £ and I. 



This result allows us to define without loss of generality strong preservation 
for abstract domains as follows: a closure p £ uco (p(Q)) is strongly preserving 
for £ and I when |-]j is s.p. for £ and I. 

As recalled above, the concrete semantic function [•]/ induces a state parti- 
tion Pc, which is the fully abstract partition according to our definition, since Pc 
encodes the “best” strongly preserving partition, where “best” means coarsest 
(i.e. the greatest w.r.t. the ordering A). In other terms, Pc is the coarsest par- 
tition such that the states in any block cannot be distinguished by the language 
£. We aim at defining an analogous of Pc for closure-based abstractions, namely 
the “best” strongly preserving closure. Given a partition P £ Part(Q), the as- 
sociated partitioning closure pcl(P) £ uco p (p(Q)) is completely determined by 
its behaviour on states q £ Q, namely on singletons {g} £ p(Q), since pcl(P) is 
additive (cf. Lemma 3.2). Of course, this does not happen for a generic closure 
p £ uco(p(Q)). This means that a generalization of Pc to closures must take 
into account the behaviour of the closure on all the subsets of Q. Thus, if we 
define, for S C Q, S \= ip iff Vs £ S.s |= ip, one might try the following definition: 
the “best” s.p. closure pc for £ is given by 

hc(S) = U{T £ p(Q) | Vp £ £. S f= ip -o- T (= ip}. 

However, this does not work, as shown by the following example. 



Example 4.4. Let us consider the simple transition system ( Q,R ) depicted in 
the figure and the language £ generated by the grammar ip ::= p | EXp, where 
the set of the atomic propositions is AP = {pi,P2} with interpretation I{p\) = 

Cb) Pl b\= EX »1 i a ’ b } and J (P 2 ) = M (and /(EX) = 
pre [/?]). Note that b \= EXpi while a 
EXpi. In this case, we have that Pc = 
{a, b, c} £ Part(Q). By using the above def- 
inition of pc, it turns out that pc = Xx.x £ 
uco(p(Q)). However, the closure p = {0,b,c,ab,abc} is more abstract than pc 
and still strongly preserving. In fact, it is not difficult to check that for any 
ip £ £, [<p]j = [p]j, and therefore, according to Definition 4.2, p is strongly 
preserving for £. □ 




a EX Pl 



Instead, we may note that if p £ uco (p(Q)) is s.p. for £ then the following 
property holds: for any S £ p(Q) and tp £ £, S f= ip => p(S) j= ip. In fact, if 
S \= p and x £ p(S) then ^({x}) C p(S) and therefore, since p(S) C Ipjf <^> 
S |= ip, we have that /r({a:}) C \ip\f, and thus, again by strong preservation, 
x |= ip. Actually, it turns out that this weaker property characterizes the best 
s.p. closure for £. 




26 



F. Ranzato and F. Tapparo 



Definition 4.5. Let [•]/ : £ —> p(Q) be the concrete semantic function. Then, 
we define He '■ p(Q) p(Q ) as follows: for any S £ p(Q), 

he(S) = jJl T e p(Q) \V<p&£.S{=p=>T\=p}. □ 

ft is not hard to check that He is indeed a closure. It turns out that He 
actually is the right candidate for the best s.p. abstract domain. 

Theorem 4.6. Let h £ uco(p(Q)). Then, h is s.p. for £ and I iff /iC He- 

Thus, nc actually is the “best” s.p. abstract domain, i.e. , it is the most 
abstract s.p. closure: He = LJ{^ £ uco(p(Q)) | h is s.p. for £ a nd !}■ Moreover, 
it turns out that He is exactly the closure meet-generated by the set of concrete 
semantics of all the formulae in £. 

Proposition 4.7. he = -Ad({M/ I p e £})■ 

As a consequence, we have that h is s.p. for £ an d / iff Vp £ £. [p] / £ /r iff 
Vp £ £.[<£>]/ = IpIi- Let us remark that as strong preservation for a partition 
P w.r.t. £ means that P is a refinement of the state partition Pc induced by 
£ likewise strong preservation for a closure h means that g is a refinement of 
the closure He of Definition 4.5 induced by £ . Strong preservation and full ab- 
straction for partitions become particular instances, through the isomorphism of 
Theorem 3.3, of the corresponding notions for closures, as stated by the following 
result. 

Proposition 4.8. Let P £ Part(Q). 

(1) Pe = par(pc) and pcl(P £ ) = P (hc)- 

(2) P is s.p. for £ and I iff P 4 par (hc) iffpcl(P) E P(/4c). 

Finally, it is natural to ask when the closure He induced by a language £ is 
partitioning. 

Proposition 4.9. Let £ be closed under possibly infinite logical conjunction. 
Then, He is partitioning iff £ is closed under logical negation. 



Example 4.10. Consider the transition system ( Q,R ) depicted in the figure 
and the temporal language CTL with atomic propositions p and q where I ( p ) = 
{1,2,4} and I(q) = {3}. Consider the partition P = {124,3} £ Part(Q) induced 
' p U^2) p by the interpretation I. It is well known [2] that the 
•b — 7 state partition Pqtl £ Part(Q) induced by CTL can 

be obtained by refining P using the Paige-Tarjan [20] 
partition refinement algorithm. It is easy to check that 
Pctl = {14, 2, 3}. However, the partition Pctl does not 
carry all the semantic information. By Proposition 4.8 (1), Pctl is the state 
equivalence induced by hctl- Also, by Proposition 4.7, ^ctl is the Moore- 
closure of {[<^]/ | £ £ CTL}. In this very simple case, it is easy to check 
that hctl = {0,2,3,14,23,124,134,1234}. Thus, as expected from Proposi- 
tion 4.8 (1), Pctl = par(ttCTL)- Since CTL is closed under logical negation, by 





Strong Preservation as Completeness in Abstract Interpretation 



27 



Proposition 4.9, it turns out that pctl is partitioning and pctl = pcI(Pctl)- 
Of course, this is not always the case. As an example, consider the following 
sublanguage £ of CTL: ::= p \ q \ A <p 2 | EX<p. Then, {1,3,4} ^ p £ : in 

fact, {1, 3, 4} can be obtained as the semantics of the CTL formula q V EXp, i.e. 
\q VEXp]/ = {1,3,4}, while it is easy to observe that it cannot be obtained from 
a formula in £. In this case, p £ = {0, 2, 3, 14, 23, 124, 1234} and P £ = {14, 2, 3}. 
Here, it turns out that pc is not a partitioning closure, namely a loss of precision 
occurs in abstracting p £ , through the mapping par, to the partition Pc- □ 



5 Completeness and Strong Preservation 

We need to consider forward completeness of abstract domains for generic n-ary 
semantic functions. Let C be any complete lattice, f : C n —> C, with n > 0, 
and p £ uco(p(Q)). Thus, p is forward /-complete, or simply /-complete, when 
/o(p, ...,p) = po/o(p, ...,p), i.e., for any f £ p n , /(f) G p. If F C Fun(C), p is 
F-complete when p is /-complete for each / G F. Note that when / : C° — > C, 
i.e. / G C, p is forward /-complete iff / G p. Moreover, note that any p G uco(C') 
is always forward meet-complete, because any closure operator is Moore-closed. 
We first note that the forward F-complete shell refinement always exists. 

Lemma 5.1. Let F C Fun(p(<5)) and p G uco(C). Then, Sf([j,)= U {p £ 
uco(C) | p C p, p is F-complete} is F-complete. 

We call Sf ■ uco (C) —> uco(C) the F-complete shell (or complete shell, when 
F is clear from the context) refinement, since S f ( p) is the most abstract F- 
complete domain which refines p. As a straight consequence, the complete shell 
of a closure admits the following constructive fixpoint characterization. 

Lemma 5.2. Let Rf : uco(C) p(C) be defined as follows: Rf(p) == {/(f) € 
Cl / G F, f G p^^}. Then, Sf(p) = gfp(Ap.p n M(Rf(p)))- 

For finite state systems, for any p G uco(C), the operator Ap.pld A4(Rf(p)) : 
uco(C) —> uco (C) is trivially co-continuous and therefore its greatest fixpoint 
can be computed through the Kleene’s iteration sequence. Moreover, for unary 
operators, the iterative computation of the fixpoint <Sf(p) can be simplified by 
applying Rf just to the new sets added in the previous iteration step, as follows. 

Lemma 5.3. Let C be finite, FCC->C and p G uco(C). Define inductively 
po = p, pi = A4 (poUFf(po)), and, fori £ N, p i+2 = M(n i+ iUR F (pi+i\pi)). 
Then, there exists n £ N such that Sf(p) = Pn- 

Let us now turn to strong preservation. Given a language £, our goal is to 
single out a set of operators F such that refining a closure p for F-completeness 
is equivalent to refining ?y in order to get strong preservation for £. The seman- 
tics of £ is determined by the interpretations AP and Op of, respectively, the 
set of atomic propositions AP and the set of operators Op. Thus, Op is the 
obvious candidate for F. Moreover, we know (cf. Theorem 4.6) that an atomic 




28 



F. Ranzato and F. Tapparo 



proposition p is strongly preserved by a domain 77 if and only if p £ 77. Also, 
recall that in partition refinement algorithms like Paige-Tarjan [20] for CTL 
and Groote-Vaandrager [16] for CTL-X, the interpretation of the atomic propo- 
sitions determine the blocks of the initial partition, or, otherwise stated, the 
blocks of the partition to refine give the atomic propositions of the language. 
Likewise, here the fixpoints of the initial closure 77 provide the interpretation of 
the atomic propositions of C. This is more general, since 77 need not to be a par- 
tition of system states. This can be formalized by associating to any set of sets 
S C p(Q) a set of atomic propositions AP 5 = {pt \ T £ S} that are interpreted 
by the interpretation function Is defined by Is(pt) = T. Also, given a closure 
77 £ uco(p(Q)) and a language £ with operators ranging in Op, we consider the 
language C v where AP V is the set of atomic propositions while the operators 
still are in Op. The interpretation for C v therefore is I v = 77 U Op. Then, the 
following key result shows the announced relationship between forward complete 
shells and strong preservation. 

Theorem 5.4. Let 77 £ uco(p(Q)) and C be a language with operators in Op 
closed under logical conjunction. Then, So P (p) is the most abstract closure which 
refines 77 and is s.p. for C v . In particular, So P {p) = Pc„- 

The opposite direction is also interesting: given a language C, the following 
result characterizes the “best” s.p. closure pc for C as a forward complete shell of 
a closure associated to C. This comes as a straight consequence of Theorem 5.4. 

Corollary 5.5. Let C be given by AP and Op, let I be the interpretation and 
let C be closed under logical conjunction. Let pap = A4({/(p) | p £ AP}). Then, 
he = So p {pap)- 

It is also worth remarking that, as a consequence of Proposition 4.8 (1), the 
state equivalence induced by the language can be retrieved from the closure 
So P {p). =s 0p (n) = =£„• 

Theorem 5.4 provides a clean and precise generalization of the many existing 
coarsest partition refinement algorithms from an abstract interpretation per- 
spective. Indeed, the coarsest refinement of a given partition which is strongly 
preserving for a given language can be characterized using our abstract domain- 
based approach as follows. 

Corollary 5.6. Let C be closed under logical conjunction and P £ Part(Q). 

(1) Let P r be the coarsest partition refinement of P which is strongly preserving 
for C and Ip. Then, P r = par(<So P (A4(P))). 

(2) Let C be closed under logical negation and let P r be the coarsest partition 
refinement of P which is strongly preserving for C and Ip. Then, pcl(P r ) = 
So p (pcl(P)). 

Note that, by the corollary above, in general the closure-based complete re- 
finement of a partitioning closure pci (P) associated to a partition P does not 
provide the closure associated to the corresponding partition-based refinement, 




Strong Preservation as Completeness in Abstract Interpretation 



29 



but a more abstract closure. The following result shows that a closure is parti- 
tioning iff it is forward complete for the complement C. As a consequence, when 
the language is closed under logical negation the two refinement techniques agree. 

Lemma 5.7. If p £ uco(p(Q)) then, p is partitioning iff p is forward Z-complete. 

We can draw the following consequence. Let C be closed under logical con- 
junction. Then, by Theorem 5.4 and Lemma 5.7, C is closed under logical nega- 
tion iff for any p £ uco(p(Q)), So P (p) is partitioning. Hence, for languages 
which are not closed under logical negation, the output partition of any par- 
tition refinement algorithm for achieving strong preservation for C is not the 
optimal, i.e. “best”, abstraction refinement. 

6 Application to Behavioural State Equivalences 

We apply the above results to a number of standard temporal languages. It is well 
known that some of these languages like CTL and CTL-X induce state equiv- 
alences which coincide with standard behavioural equivalences used in process 
algebra like bisimulation and stuttering equivalence. We obtain as consequences a 
new characterization of these behavioural equivalences in terms of forward com- 
plete abstract interpretations which shows the following remarkable fact: these 
behavioural properties for a state equivalence ~ can be interpreted as suitable 
completeness properties of ~ viewed as an abstract interpretation. Due to lack 
of space we do not consider here the case of CTL-X and stuttering equivalence. 

Bisimulation. Let T = ( Q , R , AP, I) be a Kripke structure ( R is assumed to be 
total). Let us recall the well known notion of bisimulation. A symmetric relation 
~ C Q x Q is a bisimulation on the Kripke structure T if for any s, s' £ Q such 
that s ~ s': (1) £(s) = i(s'); (2) for any t £ Q such that s — > t, there exists 
t' £ Q such that s' — »• t' and t ~ t' . In particular, a partition P £ Part(Q) is 
called a bisimulation on T when the relation = p is a bisimulation on T. The 
(set-tlreoretically) largest bisimulation relation exists and will be denoted by 
~bis- It is well known [2] that ~bis is an equivalence relation, called bisimulation 
equivalence , which coincides with the state logical equivalence induced by the 
language CTL, i.e., ~bis = =ctl (the same holds for CTL*). On the other hand, 
it is also known that it is enough to consider Hennessy-Milner logic [17], i.e. 
a language C\ allowing full propositional logic, i.e. conjunction plus negation, 
and the temporal connective EX, in order to have a state equivalence =c, which 
coincides with =ctl- The language C\ is then defined by the following grammar: 

ip ::= p \ Vi A (p 2 \ -iip \ EXy> 

where p £ AP and the interpretation I for the connectives is standard. 

It is also well known that the bisimulation equivalence ~bis can be obtained 
through the Paige-Tarjan [20] partition refinement algorithm on the input parti- 
tion determined by the interpretation of atomic propositions, i.e., the partition 
par (pap) where pap = A4({p | p £ AP}). Here, exploiting Theorem 5.4, we get 
the characterization of bisimulation equivalence in terms of forward complete- 
ness (points (1) and (3) below) and of the Paige-Tarjan partition refinement 
algorithm as a complete shell refinement (points (2) and (4) below). 




30 



F. Ranzato and F. Tapparo 



Corollary 6 . 1 . Let T be finite and P £ Part(Q). 

(1) P is a bisimulation on T iff pci (P) is forward complete for {p | p £ AP} U 
{pre [/?]}. 

(2) Let P r be the output partition of the Paige-Tarjan algorithm on input P. 
Then, pci (P r ) =S {C ' Pie[R]} {M(P)). 

(3) ~bis C ,p r e[i?] } (map) ’ 

(4) For any p £ uco(p(Q)), «S{C, P re[.R]}(/ i ) = pcl(P^), where Pf is the output 
partition of the Paige-Tarjan algorithm on input par (p). 

In our abstract interpretation-based terminology, given a generic closure p £ 
uco(p(Q)), , pre [_R]}(/i) is the most abstract refinement of p which is s.p. for 
C\ (where the atomic propositions are determined by p). Since the operators of 
C\ include both logical conjunction and negation, by Lemma 5.7, this complete 
shell is always partitioning, i.e. it is a representation of a partition by a closure. 

Example 6 . 2 . Let us consider the transition system in the figure, taken from 
[11, Sect. 6.6]. Also, consider the partition P = {1,4,2356} which induces the 
atomic propositions AP = {p,q,r}, where p = {2356}, q = {4} and r = {1}. 

It turns out that P is not a bisim- 
ulation. This can be checked on the 
abstract interpretation side by Corol- 
lary 6.1 (1): in fact, p = pcl(P) = 
{0, 1,4, 2356, 14, 12356, 23456, 123456} 
is not pre[P]-complete, because, for in- 
stance, pre[P]({l}) = {1235} ^ pcl(P). 
Obviously, this logically corresponds to the fact that for EXr £ Pi, [EXr] = 
{1, 2, 3, 5} while [EXr]p = p({1235}) = {12356}. Using Definition 4.2 of strongly 
preserving closure, this corresponds to the fact that p({6}) = {2356} C [EXrJ^ 1 
while 6 ^ [EXr]. It is easy to check that the Paige-Tarjan algorithm on the input 
partition P yields the partition P r = {1, 2, 3, 4, 5, 6}. Thus, by Corollary 6.1 (4), 
we have that «5>{C, P re[ftl}(M) = pcl(P r ) = p(Q). Thus, for any S C Q there exists 
a formula <p £ Ci such that [<p] = S. □ 

Simulation equivalence. Consider the language C -2 obtained from Ci by drop- 
ping logical negation, namely C -2 is defined by the following grammar: 

ip ::= p | ipi A ip 2 I EX<p 

It is known — see for example the handbook chapter by van Glabbeek [22, 
Sect. 8] — that the state equivalence =£ 2 induced by C 2 coincides with sim- 
ulation equivalence. Let us briefly recall the notion of simulation relation. Let 
T = ( Q , P, AP, C) be a Kripke structure. A relation <7 C Q x Q is a simulation 
if for any s,s' £ Q such that sas': (1) £(s) = £(s'); (2) if, for some t £ Q, s — > t 
then there exists some t’ £ Q such that s' — > t' . Then, simulation equivalence 
~simC QxQ is defined as follows: s ~ s im s' iff there exist two simulation relations 
< 7 , r C Q x Q such that suV and s'ts. A number of algorithms for computing 
the partition ~ s j m , which coincides with Pc 2 , have been designed (e.g. [1,3,18]). 
Here, as a consequence of Theorem 5.4, we get the following characterization of 
simulation equivalence in terms of forward completeness (recall that pap is the 
closure determined by the interpretation of atomic propositions AP): 





Strong Preservation as Completeness in Abstract Interpretation 



31 



Corollary 6.3. ~ sim = =s pie[R] ^ AP )- 

Moreover, as argued after Lemma 5.7, since £2 is not closed under logical 
negation, we have that the output partition P r of simulation equivalence com- 
puted by the aforementioned algorithms is not optimal for the strong preserva- 
tion of £2, in the sense that the partitioning closure pcl(P r ) does not coincide 
with the set of formula semantics {\^\t | £ £ 21- 

Example 6.4. Consider the transition system of Example 6.2. Let us compute 
the simulation equivalence ~ s i m by resorting to Corollary 6.3 and to the iterative 
method of Lemma 5.3. Let map = A4({1, 4, 2356}) = {0, 1, 4, 2356, 123456}. 

Mo = Map 

Ml = A4(M0 C Ppre[P] (Mo) ) 

= A4(mo U (1235 = pre[P]({l}), 346 = pre[i?]({4}), 235 = pre[P]({2356})}) 

= (0, 1, 1235, 235, 2356, 3, 346, 36, 4, 123456} 

M2 = A4(mi u Ppre[fi](Mi \ Mo)) = A4 (mi u {23456 = pre[P]({346})} 

= {0, 1, 1235, 2, 235, 2356, 23456, 3, 346, 36, 4, 123456} (fixpoint) 

Thus, M£ 2 = M2 = £ P re[p] (map) and = ~ s ; m , i.e., the partition associated 
to the simulation equivalence is Pc 2 = {1, 2, 3, 4, 5, 6}. As expected, note that 
pcl(Pc 2 ) C <S pre [pi ( map)- Also note that Pc 2 is the same partition obtained 
for bisimulation in Example 6.2, although the closures M£i and M£ 2 are well 
different. □ 



7 Conclusion 

We designed an abstract interpretation-based framework to study the proper- 
ties of strong preservation of abstract model checking, where classical abstract 
model checking systems based on state partitions are embedded as particular 
abstract interpretations. Our main result showed that the minimal refinement of 
an abstract domain for achieving the completeness property w.r.t. the semantic 
operators of some language £ is exactly equivalent to the minimal refinement 
of the corresponding abstract model checking in order to get strong preservation 
for £. It is worth mentioning that we exploited the results in this paper to devise 
a generalized abstract interpretation-based Paige-Tarjan partition refinement al- 
gorithm which is able to compute the minimal refinements of abstract models 
which are strongly preserving for a generic inductively defined language [21]. 



Acknowledgements. We wish to thank Mila Dalla Preda and Roberto Gia- 
cobazzi who contributed to the early stage of this work. This work was partially 
supported by the FIRB Project “Abstract interpretation and model checking for 
the verification of embedded systems” and by the COFIN2002 Project “CoVer”. 




32 



F. Ranzato and F. Tapparo 



References 

1. B. Bloom and R. Paige. Transformational design and implementation of a new 
efficient solution to the ready simulation problem. Sci. Comp. Program., 24(3): 189- 
20, 1995. 

2. M.C. Browne, E.M. Clarke and O. Grumberg. Characterizing finite Kripke struc- 
tures in propositional temporal logic. TCS, 59:115-131, 1988. 

3. D. Bustan and O. Grumberg. Simulation-based minimization. ACM TOCL, 
4(2):181-204, 2003. 

4. E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided 
abstraction refinement. In Proc. CAV’OO. LNCS 1855:154-169, 2000. 

5. E.M. Clarke, O. Grumberg and D. Long. Model checking and abstraction. ACM 
TOPLAS, 16(5):1512-1542, 1994. 

6. E.M. Clarke, O. Grumberg and D.A. Pcled. Model checking. The MIT Press, 1999. 

7. P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static 
analysis of programs by construction or approximation of fixpoints. In Proc. 4th 
ACM POPL, pp. 238-252, 1977. 

8. P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In 
Proc. 6th ACM POPL, pp. 269-282, 1979. 

9. P. Cousot and R. Cousot. Temporal abstract interpretation. In Proc. 27th ACM 
POPL, pp. 12-25, 2000. 

10. M. Dalla Preda. Completeness and stability in abstract model checking. Master 
Thesis, Univ. of Verona, 2003. 

11. D. Dams. Abstract interpretation and partition refinement for model checking. 
Pli.D. Thesis, Eindhoven Univ., 1996. 

12. D. Dams, O. Grumberg, and R. Gerth. Abstract interpretation of reactive systems. 
ACM TOPLAS, 16(5):1512-1542, 1997. 

13. R. Giacobazzi and E. Quintarelli. Incompleteness, counterexamples and refine- 
ments in abstract model checking. In Proc. SAS ’01, LNCS 2126:356-373, 2001. 

14. R. Giacobazzi and F. Ranzato. Refining and compressing abstract domains. In 
Proc. 24th ICALP, LNCS 1256:771-781, 1997. 

15. R. Giacobazzi, F. Ranzato, and F. Scozzari. Making abstract interpretations com- 
plete. J. ACM, 47(2):361-416, 2000. 

16. J.F. Groote and F. Vaandrager. An efficient algorithm for branching bisimulation 
and stuttering equivalence. In Proc. ICALP ’90, LNCS 443:626-638, 1990. 

17. M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency. 
J. ACM, 32(1):137-161, 1985. 

18. M.R. Henzinger, T.A. Henzinger and P.W. Kopke. Computing simulations on finite 
and infinite graphs. In Proc. 36th FOCS, pp. 453-462, 1995. 

19. C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, and S. Bensalem. Property preserving 
abstractions for the verification of concurrent systems. Formal Methods in System 
Design, 6:1-36, 1995. 

20. R. Paige and R.E. Tarjan. Three partition refinement algorithms. SIAM J. Corn- 
put., 16(6):973-989, 1987 

21. F. Ranzato and F. Tapparo. Generalizing the Paige-Tarjan partition refinement 
algorithm through abstract interpretation. Manuscript, Univ. of Padova, 2004. 

22. R.J. van Glabbeek. The linear time - branching time spectrum. In Handbook of 
Process Algebra, pp. 3-99, 2001. 




Static Analysis of Digital Filters* 



Jerome Feret 

DI, Ecole Normale Superieure, Paris, FRANCE 
jerome . f eretOens . f r 



Abstract. We present an Abstract Interpretation-based framework for 
automatically analyzing programs containing digital filters. Our frame- 
work allows refining existing analyses so that they can handle given 
classes of digital filters. We only have to design a class of symbolic prop- 
erties that describe the invariants throughout filter iterations, and to 
describe how these properties are transformed by filter iterations. Then, 
the analysis allows both inference and proofs of the properties about the 
program variables that are tied to any such filter. 



1 Introduction 

Digital filters are widely used in real-time embedded systems (as found in auto- 
motive, aeronautic, and aerospace applications) since they allow modeling into 
software behaviors previously ensured by analogical filters. A filter transforms 
an input stream of floating-point values into an output stream. Existing analyses 
are very imprecise in bounding the range of the output stream, because of the 
lack of precise linear properties that would entail that the output is bounded. 
The lack of precise domains when analyzing digital filters was indeed the cause 
of almost all the remaining warnings (potential floating-point overflows) in the 
certification of a critical software family with the analyzer described in [1,2]. 

In this paper, we propose an Abstract Interpretation-based framework for 
designing new abstract domains which handle filter classes. Human intervention 
is required for discovering the general shape of the properties that are required 
in proving the stability of such a filter. Roughly speaking, filter properties are 
mainly an abstraction of the input stream, from which we deduce bounds on 
the output stream. Our framework can then be used to build the corresponding 
abstract domain. This domain propagates all these properties throughout the 
abstract computations of programs. Our approach is not syntactic, so that loop 
unrolling, filter reset, boolean control, and trace (or state) partitioning are dealt 
with for free and any filter of the class (for any setting) is analyzed precisely. 

Moreover, in case of linear filters, we propose a general approach to build the 
corresponding class of properties. We first design a rough abstraction, in which 
at each filter iteration, we do not distinguish between the contributions of each 
input. Then, we design a precise abstraction: using linearity, we split the output 
between the global contribution of floating-point errors, and the contribution of 

* This work was partially supported by the ASTREE RNTL project. 

D.A. Schmidt (Ed.): ESOP 2004, LNCS 2986, pp. 33-48, 2004. 

(c) Springer- Verlag Berlin Heidelberg 2004 




34 



J. Feret 



the ideal filter behavior. Global floating-point error contribution is then bounded 
using the rough abstraction, while ideal filter output is precisely described by 
formally expanding it, so that the contribution of each input is exactly described 
in the real field, and then approximated in floating-point arithmetics. 

We have instantiated our framework for two kinds of widely used linear filters: 
the high bandpass and second order filters. The framework was fully implemented 
in OCaml [8] and plugged into an existing analyzer. We have obtained bounds 
that are very close to sample experimental results, which has allowed solving 
nearly all of our remaining warnings [2] . 

Previous works. To our knowledge, this is the first analysis that abstracts 
filter output invariants. Nevertheless, some work has been done in filter optimiza- 
tion. In [7], affine equality relationships [6] among variables at the beginning and 
at the end of loop iterations are used to factorize filters at compile time. In our 
case, because of floating-point rounding errors, there are no such affine equality 
relationships, so a more complex domain such as polylredra [5] is required to per- 
form the same task. Moreover, our programs involve complex boolean control 
flows. Thus, filter factorization cannot be performed without a highly expen- 
sive partitioning. Furthermore, our goal is just to prove the absence of error at 
runtime, and not to describe precisely the global behavior of filters. 

Outline. In Sect. 2, we present the syntax and semantics of our language. In 
Sect. 3, we describe a generic abstraction for this language. In Sect. 4, we define a 
generic extension for refining existing abstractions. In Sect. 5, we give numerical 
abstract domains for describing sets of real numbers. In Sect. 6, we describe, 
on our examples, the general approach to building such generic extensions. In 
Sect. 7, we describe the impact of these extensions on the analysis results. 

2 Language 

We analyze a subset of C without dynamic memory allocation nor side-effect. 
Moreover, the use of pointer operations is restricted to call-by reference. For 
the sake of simplicity, we introduce an intermediate language to describe pro- 
grams interpreted, between the concrete and an abstract level. We suppose that 
lvalue resolution has been partially solved (see [2, Sect. 6.1.3]). Furthermore, as- 
signments (which use floating-point arithmetics at the concrete level) have been 
conservatively abstracted into non-deterministic assignments in the real field, 
i.e., floating-point expressions have been approximated by linear forms with real 
interval coefficients. These linear forms include both the rounding errors and 
some expression approximations (see [10]). We also suppose that runtime errors 
(such as floating-point overflows) can be described by interval constraints on the 
memory state after program computations. 

Let V be a finite set of variables. We denote by X the set of all real number 
intervals (including R. itself). We define inductively the syntax of programs in 
Fig. 1. We denote by £ the set of expressions E. We describe the semantics of 
these programs in a denotational way. An environment (p 6 V -> R) denotes a 
memory state. It maps each variable to a real number. We denote by Env the set 




Static Analysis of Digital Filters 35 



V £ V, / € X 

E ■- I \ V\ (- V ) + E\ V + E\ IxV + E 

P :=V = E\ skip | if (V > 0) {P} else {P} | while (V > 0) {P} | P; P 

Fig. 1. Syntax. 



i/] B (p) = i, m e(p) = { P (v)} 

U-V) + E\ e (p) = {a- p(V) | ae{Ej E (p)},lV + Ej E (p) = {p(V) + a \ a £ lEj E (p)} 
I [IxV + E] E (p) ={bx p(V) + a | a £ [E\ B (fi), b £ 1} 

W = E\p{p) = {p[V ^x]\x£ m E (p)} 

[skip] p (p) = {p} 



[if (F > 0) {Pi} else {P 2 }Jp(p) = 



'[Pi]p(p) ifp(V)>0 

[P 2 ] p (p) otherwise 
[[while ( V > 0) (P}]p(p) = {p' € Inv \ p' {V) < 0} 
where Inv = lfp (X >-> {p} U (UULPMp') I p' € X,p'{V) > 0})) 
IPi;P2]p(p) = U(II- p 2lp(p / ) | p' G [Pi1p(p)} 



Fig. 2. Concrete semantics. 



of all environments. The semantics of a program P is a function (|P]p £ Env — > 
p(Env)) mapping each environment p to the set of the environments that can 
be reached when applying the program P starting from the environment p. The 
function |_]p is defined by induction on the syntax of programs in Fig. 2. Loop 
semantics requires the computation of a loop invariant , which is the set of all 
environments that can be reached just before the guard of this loop is tested. 
This invariant is well-defined as the least fixpoint of a U-complete endomorphism 
in the powerset p(Env). Nevertheless, such a fixpoint is usually not computable, 
so we give a decidable approximate semantics in the next section. 

We describe two filter examples, that we will use throughout the paper. 

Example 1. A high bandpass filter can be encoded by the following program: 

V = R-, E 1 = [0; 0]; 

while (V > 0) { 

— M; T — 1R; Eq = I\ 
if (T > 0) {S = 0} 

else {S = A x S + E 0 + (-E}) + F}; 

Ei = E 0 ; 

} 

Roughly speaking, the interval I denotes the range of filter entries. Floating- 
point rounding errors are captured by the range of both intervals A and F. The 
interval A describes the filter coefficient and satisfies AC [|; 1[. Variables V and 
T allow control flow enforcement. At each loop iteration, the variable S denotes 
the value of the current filter output, the variable E 0 denotes the value of the 
current filter input, and the variable E\ denotes the value of the previous filter 
input. Depending on the value of T, the filter is either reset (i.e. , the output is 
set to 0), or iterated (i.e., the value of the next output is calculated from the 
last output value and the two last input values). The analysis described in [2] 




36 



J. Feret 



only discovers inaccurate bounds for the variable S. It works as if the expression 
AxS + E 0 — Ei + F were approximated by 4 x S+(2 x I+F). The analysis 
discovers the first widening threshold l (see [1, Sect. 2.1.2]) such that l is greater 
than 2 *.!.„ ) for any (i, /, a) £ I x F x A. It proves that l is stable, and then 
successive narrowing iterations refine the value l. □ 



Example 2. A second order digital filter can be encoded as follows: 

V = R;£7 1 = [0; 0]; E 2 = [0; 0]; 

while (V > 0) { 

V — M; T — M; Eg — I] 

if (T > 0) {So = Eg: Si = Eg} 

else {S 0 = Ax S ± + B x S 2 + C x E 0 + D x Ei + E x E 2 + F}; 

E2 = Ei; Ei = Eg] S2 = Si; Si = So 

} 

Roughly speaking, the interval I denotes the range of filter entries. Intervals A, 
B , C, D and E denote filter coefficients and satisfy A C [0; 00 [, B C] — 1; 0[ and 
V(a, b) € A x B, a 2 + 4 x b < 0. Floating-point rounding errors are captured by 
the range of intervals A , B, C, D , E and F. Variables V and T allow control flow 
enforcement. At each loop iteration, the variable So denotes the value of current 
filter output, variables Si and S 2 denote the last two values of filter output, the 
variable Eg denotes the value of the current filter input, and variables Ei and 
E 2 denote the last two values of filter input. Depending on the value of T, either 
the filter is reset (i.e., both the current and the previous outputs are set to the 
same value), or iterated (i.e., the value of the next output is calculated from the 
last two output values and the last three input values). The analysis described 
in [ 2 ] fails to discover any bound for the variables So, Si, S 2 . □ 

3 Underlying Domain 

We use the Abstract Interpretation framework [3,4] to derive a generic approxi- 
mate semantics. An abstract domain Env $ is a set of properties about memory 
states. Each abstract property is related to the set of the environments which 
satisfy it via a concretization map 7 . A 11 operator U allows the gathering of infor- 
mation about different control flow paths. Some primitives ASSIGN and GUARD 
are sound counterparts to concrete assignments and guards. To effectively com- 
pute an approximation of concrete fixpoints, we introduce an iteration basis _L, 
a widening operator V and a narrowing operator A . Several abstract domains 
collaborate, and refine each others using very simple constraints: variable ranges 
and equality relations. These constraints are related to the concrete domains 
via two concretization functions 7 x and 7 = that respectively map each function 
£ V — > X to the set of the environments p such that MX £ V, p(X) £ p\X), 
and each relation TZ C V 2 to the set of environments p such that for any vari- 
ables X and Y, (X,Y) £ TZ implies that p(X) = p(Y). The primitives RANGE 
and EQU capture simple constraints about the filter input stream, and about 




Static Analysis of Digital Filters 



37 



IV = Ef(a) = assign (V = E, a) 
[skip] 8 (a) = a 



[if (V > 0) {A} else {Ab}]] ** (a) = an U a 2 , with 



[ai = [Pif (guard (V, [0;+oo[,o)) 
[ a 2 = [P 2 ]* (guard (V, ] — 00; 0[, a )) 
[while (V > 0) (PjJ^a) = guard(V, ] — 00; 0[, Imfi) 
where Inv ^ = lfp** (A’e)aU [P] 11 (guard (T, [0; +00 [, A'))) 

[Pi;P2]V) = [A] # ([A]V)) 



Fig. 3. Abstract semantics. 



the initialization state, to be passed to the filter domains. Conversely, a primi- 
tive REDUCE receives the constraints about the filter output range to refine the 
underlying domain. 

Definition 1 (Generic abstraction). An abstraction is defined by a tuple 
(Env^y, U, ASSIGN, GUARD, _L,V, A, RANGE, EQU, REDUCE) Such that: 

1. Env ** is a set of properties; 

2. 7 £ Env ** —> p(Env) is a concretization map; 

3. Va, b £ Emfl, 7(a) U 7(6) C y(a U b); 

4- Va £ Enrfi, £ (V — » I), 7 (a) (~l 7 x(p^) C 7(REDUCE(pt*, a)), 
moreover reduce ([J^f i-a K], a) = a; 

5. V is a widening operator such that: \/a,b £ Enifl, 7 (a) £17(6) C 7 (aV&); 
and Vp® £ (V — >• X), (af) £ (£W*) N , t/ie sequence (aj) defined by a q = 
REDUCE (p^, ao) and a^ +1 = REDUCE(p^,a^Va ra+ i) is ultimately stationary; 

6. A is a narrowing operator such that: \/a,b £ PnV*, 7(a) £17(6) C 'y(aAb); 
and Vp* £ (V — >• X), (af) £ (£W*) N , t/ie sequence (af ) defined by a g = 
REDUCE (p^ , ao) and a^ +1 = REDUCE(p®, Aa n+ i), is ultimately stationary; 

7. Va £ £ V,A £ £T, p £ 7(a), [AT = A]p(p) C 7 (assign(X = E,a)); 

8. Va £ PW*, X £ V,/ £ I, (p £ 7(a) | p(X) £ 1} C 7 (guard(X, /, a)); 

P. Va £ 7 (a) C 7x(RANGE(a)) and 7(a) C 7 = (EQU(a)). 

Least fixpoint approximation is performed in two steps [3]: we first com- 
pute an approximation using the widening operator; then we refine it using 
the narrowing operator. More formally, let / be a U-complete endomorphism 
of p(Env), and (/*• £ Env ^ -A Env #) be an abstract counterpart of / satisfying 
Va £ Env^, (/°7)(a) C (70 /N)(a). The abstract upward iteration (C%) of /•* is 
defined by Cq = ± and C% +1 = C^V f$(C%). The sequence (C%) is ultimately 
stationary and its limit satisfies lfp(/) C 7 (CJ). Then the abstract down- 
ward iteration (D„) of is defined by Dq = CJ and D^ +1 = D^Af^(D^). The 
sequence (D£) is ultimately stationary and its limit satisfies lfp(/) C 7 (D£). 
So we define lfp**(/**) by the limit of the abstract downward iteration of /**. 

The abstract semantics of a program is given by a function ([_]# £ Emf -A 
Env N) in Fig. 3. Its soundness can be proved by induction on the syntax: 

Theorem 1. For any program P, environment p, abstract element a, we have: 

p £ 7(a) => [-Pjp(p) C 7 ([P] a (a)) . □ 




